What Is the CometJacking Attack?
In October 2025, researchers uncovered a dangerous new exploit called CometJacking, which abuses AI-powered browsers such as Perplexity AI to steal sensitive information from unsuspecting users.
Unlike traditional phishing, where attackers trick victims into entering credentials, CometJacking enables attackers to inject malicious content into AI browser workflows — allowing them to exfiltrate data with a single click on a crafted link.
This attack highlights the growing risks of combining large language models (LLMs) with browser automation — an emerging frontier for cybercriminals.
How CometJacking Works
CometJacking attacks exploit how AI browsers fetch, summarize, and process live web content.
- Malicious Link Delivery
- Victim receives a link (via email, social media, or chat).
- The link looks legitimate, often disguised as an article or report.
- AI Browser Fetch & Process
- The AI browser fetches the page, thinking it is just summarizing or analyzing it for the user.
- Hidden payloads embedded in the page manipulate the AI process.
- Data Extraction
- Malicious code tricks the AI into exposing session data, cached results, or sensitive information (cookies, auth tokens, search context).
- In some cases, attackers can chain this with prompt injection to run additional malicious queries.
- Stealth Mode
- Victim never sees the malicious activity directly — the AI handles it in the background.
“CometJacking is a perfect storm: it combines classic phishing with AI-specific weaknesses like prompt injection and over-permissive context handling,” says security researcher Dr. Michael Sutton.
Why AI Browsers Are at Risk
AI browsers like Perplexity AI, Arc, and Copilot+ Edge are designed to fetch and reason over live content. That means:
- They often handle third-party scripts without strict sandboxing.
- They maintain context windows that can be hijacked.
- They blur the line between reading and executing.
These factors make them attractive new targets for attackers.
Real-World Impact of CometJacking
The potential consequences of a CometJacking attack include:
- Account Takeover: If cookies or session tokens are exfiltrated.
- Data Harvesting: Private conversations, summaries, and generated reports may be stolen.
- Supply Chain Attacks: Enterprises using AI browsers for research or coding could leak proprietary information.
- Targeted Disinformation: Attackers could poison AI outputs to spread false information.
This is especially dangerous for businesses adopting AI assistants in workflows.
How to Protect Against CometJacking
While AI browser vendors are working on patches, security experts recommend:
- Don’t Auto-Click AI Links
- Treat links inside AI chat results like any other external URL.
- Verify before clicking.
- Use a Secure Browser Sandbox
- Open suspicious links in isolated environments.
- Tools like Chrome’s site isolation or dedicated VMs can reduce risk.
- Clear Session Data Regularly
- Avoid long AI browser sessions where cookies and tokens accumulate.
- Enable Strong MFA
- If tokens are stolen, MFA can still block account takeover.
- Stay Updated
- Watch vendor advisories for Perplexity, Arc, and other AI browsers.
- Apply updates immediately.
Why CometJacking Matters in 2025
This attack is part of a broader trend: AI-driven applications are becoming prime targets.
- 2023–2024: Prompt injection and data poisoning were mostly academic.
- 2025: Real-world exploitation begins, with CometJacking as one of the first high-profile examples.
- 2026 and beyond: Experts expect AI malware ecosystems to emerge, similar to the early days of mobile malware.
“Just as we saw drive-by downloads in the 2000s, we’re now seeing drive-by AI attacks — and CometJacking is the start,” warns Lisa Palmer, a cybersecurity strategist.
