AI Browser Prompt Injection Hands Over Your Sessions

One crafted URL drained Comet's Gmail and ChatGPT Atlas blocked just 5.8% of phishing. Agentic browsers run with all your logged-in sessions, and that is the bug.

The safe, boring thing you do every day with an AI browser, "summarize this page," is the exploit. Not a misconfiguration of it. The feature itself.

I have spent the last month watching the agentic browser category get taken apart in public, and the pattern is consistent enough to state flatly: when you let an AI browser act for you, you have handed a stranger every session you are currently logged into. Not your passwords. Your live, authenticated sessions. Gmail, Calendar, your bank, corporate SSO. The attacker never needs credentials, because the browser already holds them and will act on them when a web page tells it to.

One URL, one drained inbox

The two products everyone is searching for are Perplexity's Comet and OpenAI's ChatGPT Atlas, and they share the same architectural wound.

LayerX disclosed CometJacking on October 4, 2025, after submitting it to Perplexity on August 27. Researcher Aviad Gispan found that an unrecognized collection parameter in the query string flips Comet's assistant from doing a live web search to reading its connected memory instead. Then he base64-encoded the stolen fields, which slipped the result past Perplexity's exfiltration checks. The proof of concept harvested Gmail message content and Calendar metadata and POSTed it to an attacker endpoint. No credential prompt. No interaction past the click on the link.

Perplexity's first response, the same day, was to mark it "Not Applicable." A fix landed around February 2026.

Sit with the shape of that attack for a second, because it is the whole story in miniature. The user did nothing wrong. They clicked a link, which is the one thing the entire web is built to make you do. Everything destructive after the click was the agent faithfully executing instructions that arrived inside content it was asked to read.

This is not one vendor's mistake

It would be convenient if CometJacking were a Perplexity-specific blunder. It is not.

Brave's security team documented "unseeable" prompt injections in October 2025: instructions hidden in screenshots, recovered by the agent's own OCR, then passed to the model as if the user had typed them. The same failure hit Comet, Fellou, and Opera Neon. Three vendors, one root cause. Brave names it precisely, a "failure to maintain clear boundaries between trusted user input and untrusted Web content when constructing LLM prompts while allowing the browser to take powerful actions on behalf of the user."

That sentence is the confused-deputy problem wearing browser chrome. People dress it up as "intent collision." The operator translation is blunter: the read action is now a write primitive. You asked the agent to look at something, and looking became doing.

Trail of Bits reached the same structural conclusion from the other direction. Their February 20, 2026 threat-modeling audit of Comet treats the privilege the agent inherits, not any single parser bug, as the thing that makes the category dangerous. When independent teams using different methods land on the same diagnosis in the same window, that is not a coincidence you patch around.

Why same-origin policy does nothing here

Traditional web security assumed the browser was a passive renderer. That assumption let the same-origin policy wall off evil.example.com from your bank tab. It worked because pages could not reach across origins or act on your behalf.

That assumption is dead in an agentic browser. The agent runs with your authenticated privileges across every open tab and every connected integration at once, so origin boundaries mean nothing to it. A hidden white-on-white instruction, an HTML comment, or near-invisible text inside an image the agent OCRs during a screenshot can steer it into your inbox and back out to an attacker's endpoint. The page does not need to break out of its origin. It just needs to talk to the deputy who already has the keys to all of them.

This is why the phishing numbers are so grim. LayerX measured ChatGPT Atlas blocking only 5.8% of in-the-wild phishing pages, against 47 to 53 percent for Chrome and Edge. The browsers that do less actually protect you more, because they do not turn page content into actions. Of 103 in-the-wild attacks LayerX tested against Atlas, 97 went through. A 94.2% miss rate.

Atlas remembers the attack

Comet's exposure was bad in the moment. Atlas adds persistence, which is worse.

LayerX's "tainted memories" attack, reported under disclosure in December 2025, uses a CSRF request riding your existing logged-in session to write malicious instructions directly into ChatGPT's Memory feature. The injection then survives the tab. It rides across sessions and across devices, and it keeps firing until you manually purge memory. You can close the malicious page, reboot, switch laptops, and the payload is still sitting in the assistant's long-term memory waiting to act.

A normal browser exploit ends when you close the tab. This one moves in.

The vendors are telling you to plan for residual risk

Here is the part most coverage skips, and the part that should actually change your decision. OpenAI is not pretending the problem is solved. It calls prompt injection "one of the most significant risks we actively defend against." The U.K. National Cyber Security Centre has warned the class may never be fully mitigated.

Read that as what it is. The vendor and a national cyber authority are both telling you this is a residual risk you own, not a bug someone is about to close.

The honest counterpoint deserves air. Vendors are shipping mitigations: Perplexity's exfiltration checks, OpenAI's continuous hardening and automated red-team attackers. Those are real, and they raise the cost of an attack. But every mitigation shipped so far has been bypassed by a re-encoding or a new injection channel. CometJacking's base64 trick walked straight through Perplexity's filters. Defenses that fail to a different encoding are speed bumps, not walls. Until the agent's planner is provably isolated from page content, you are betting your authenticated sessions that no one finds the next channel, and the score so far is not in your favor.

What to lock down this week

The decision in front of you is not "which AI browser is safest." It is whether an agentic browser touches authenticated, high-value tenants at all. Prioritized, each with a trigger.

If a device authenticates into anything regulated or revenue-bearing, do not connect agent integrations. Treat Comet and Atlas memory plus Gmail/Calendar OAuth grants as a hard no on those profiles today. This is not hypothetical: CometJacking already exfiltrated connected Gmail with zero credentials.

Inventory who already connected one. In Google Workspace, open Admin Console > Security > API controls > App access control and review third-party OAuth grants for "Perplexity," "Comet," or "ChatGPT." Restrict them to "Trusted" or block. There is no native log that reads "the agent opened this inbox," so the queryable signal is the OAuth grant itself, not an access event. If any grant exists on a sensitive profile, revoke it now.

Detect installs, do not trust policy. Query Intune/MDM app inventory, or run osquery against the apps and programs tables, for the Comet and Atlas bundle identifiers. If more than zero managed devices in a sensitive group return a hit, push a removal or block policy this week.

Watch egress for the exfil shape. CometJacking's tell is base64-encoded payloads in query strings or POST bodies headed to non-allowlisted domains. If your CASB or egress proxy can flag long base64 strings leaving toward unknown hosts, alert on it. That string is the observable artifact of the encode-then-exfiltrate step that beat Perplexity's own filter.

If you build agents, isolate the planner from untrusted content. Never feed page content into the same context that holds tool-calling authority. Run a quarantined summarizer with no tools, read-only, feeding a separate privileged planner, and require explicit human confirmation before any state-changing or cross-origin action. The architectural rule is the only thing that has held across every disclosure above: untrusted text must never reach a component that can act.

The summary for a security review is one sentence. An agentic browser is a logged-in session you handed to whoever controls the next page you visit. Keep them off the machines that matter until the planner is provably walled off from what it reads.

Sources

https://layerxsecurity.com/blog/cometjacking-how-one-click-can-turn-perplexitys-comet-ai-browser-against-you/
https://brave.com/blog/unseeable-prompt-injections/
https://cyberscoop.com/openai-chatgpt-atlas-prompt-injection-browser-agent-security-update-head-of-preparedness/
https://layerxsecurity.com/blog/layerx-identifies-vulnerability-in-new-chatgpt-atlas-browser/
https://blog.trailofbits.com/2026/02/20/using-threat-modeling-and-prompt-injection-to-audit-comet/