INC-26-0055 confirmed high Perplexity Comet AI Browser Enables Zero-Click Credential Theft via Prompt Injection (2026)
Perplexity AI developed and deployed Perplexity Comet AI Browser, harming Comet browser users whose credentials were exposed and Users of password managers accessed via the vulnerability ; possible contributing factors include prompt injection vulnerability and misconfigured deployment.
Incident Details
| Date Occurred | 2026-01 |
| Severity | high |
| Evidence Level | corroborated |
| Impact Level | Sector-wide |
| Domain | Security & Cyber |
| Primary Pattern | PAT-SEC-006 Prompt Injection Attack |
| Regions | global |
| Sectors | Technology |
| Affected Groups | General Public |
| Exposure Pathways | Direct Interaction, Adversarial Targeting |
| Causal Factors | Prompt Injection Vulnerability, Misconfigured Deployment |
| Assets & Technologies | Large Language Models, Identity Credentials |
| Entities | Perplexity AI(developer, deployer) |
| Harm Types | financial, rights violation |
Perplexity's Comet AI browser was found vulnerable to prompt injection attacks that enabled zero-click credential theft from 1Password, Gmail exfiltration, and local file access without any user interaction. Malicious calendar invites or web pages could trigger the attack. Researchers bypassed the first patch, requiring a second fix.
Incident Summary
Perplexity’s Comet AI browser, which integrates a large language model directly into the browsing experience, was found to be vulnerable to prompt injection attacks that enabled zero-click credential theft without any user interaction.[1] Security researchers demonstrated that malicious calendar invites or web pages could inject prompts that caused the browser’s AI to steal 1Password credentials, exfiltrate Gmail contents, and access local files — all without the user clicking anything or being aware of the attack.[2] The zero-click nature of the vulnerability was particularly concerning because it required no social engineering or user error — simply rendering a malicious page or calendar event in the browser triggered the credential theft chain. Perplexity released a patch, but researchers subsequently bypassed it, requiring a second fix.[3] The vulnerability highlights the fundamental security challenges of AI-integrated browsers, where the LLM’s ability to interact with system resources creates attack surfaces that do not exist in traditional browsers.
Key Facts
- Zero-click attack: No user interaction required — malicious pages trigger credential theft automatically[2]
- Credential access: 1Password credentials, Gmail contents, and local files accessible via the attack[2]
- Attack vectors: Malicious calendar invites and web pages could trigger the exploit[1]
- Patch bypass: Researchers bypassed the first patch, requiring a second fix[3]
- Root cause: Prompt injection in AI browser’s LLM integration with system resources
- Novel category: First documented zero-click credential theft via an AI browser
Threat Patterns Involved
Primary: Prompt Injection Attack — The Comet vulnerability demonstrates prompt injection in a new context — AI-integrated browsers — where the LLM’s access to system resources (password managers, email, local files) transforms prompt injection from an AI safety issue into a critical cybersecurity vulnerability with direct credential theft implications.
Significance
- AI browser attack surface — The vulnerability demonstrates that AI-integrated browsers create fundamentally new attack surfaces where prompt injection can compromise system-level credentials, a category of risk that does not exist in traditional browsers
- Zero-click severity — The zero-click nature of the attack — requiring no user interaction whatsoever — places this among the most dangerous categories of browser vulnerabilities, comparable to zero-click exploits used by nation-state actors
- Patch inadequacy — The failure of the first patch and the requirement for a second fix suggests that securing AI browsers against prompt injection may require architectural changes rather than incremental patches
- Password manager trust model — The ability to steal 1Password credentials through the browser’s AI raises questions about whether password managers’ trust model is compatible with AI-integrated browsers that can be instructed via prompt injection to access stored credentials
Timeline
Perplexity Comet AI browser launched with integrated LLM capabilities
Researchers discover zero-click credential theft via prompt injection
First patch released; researchers bypass it
Second patch released to address the bypass
Outcomes
- Recovery:
- Two patches released; second patch addressed initial bypass
Use in Retrieval
INC-26-0055 documents Perplexity Comet AI Browser Enables Zero-Click Credential Theft via Prompt Injection, a high-severity incident classified under the Security & Cyber domain and the Prompt Injection Attack threat pattern (PAT-SEC-006). It occurred in Global (2026-01). This page is maintained by TopAIThreats.com as part of an evidence-based registry of AI-enabled threats. Cite as: TopAIThreats.com, "Perplexity Comet AI Browser Enables Zero-Click Credential Theft via Prompt Injection," INC-26-0055, last updated 2026-03-29.
Sources
- Perplexity Comet AI browser zero-click credential theft vulnerability (news, 2026-03)
https://oecd.ai/en/incidents/2026-03-03-3fd7 (opens in new tab) - Zero-click prompt injection in Perplexity Comet (news, 2026-03)
https://thehackernews.com (opens in new tab) - Perplexity Comet browser vulnerability analysis (analysis, 2026-03)
https://theregister.com (opens in new tab)
Update Log
- — First logged (Status: Confirmed, Evidence: Corroborated)