Agentic Browser Security: Indirect Prompt Injection in Perplexity Comet

https://brave.com/blog/comet-prompt-injection/

22•drak0n1c•4h ago

Comments

paool•3h ago

Interesting to see the evolution of "Ignore previous instructions. Do ______".

veganmosfet•3h ago

As possible mitigation, they mention "The browser should distinguish between user instructions and website content". I don't see how this can be achieved in a reliable way with LLMs tbh. You can add fancy instructions (e.g., "You MUST NOT...") and delimiters (e.g., "<non_trusted>") and fine-tune the LLM but this is not reliable, since instructions and data are processed in the same context and in the same way. There are 100s of examples out there. The only reliable countermeasures are outside the LLMs but they restrain agent autonomy.

JoshTriplett•3h ago

The reliable countermeasure is "stop using LLMs, and build reliable software instead".

danielbln•1h ago

https://simonwillison.net/2025/Apr/11/camel/

veganmosfet•51m ago

Is the CaMel paper's idea implemented in some available agents?

wat10000•2h ago

It’s not possible as things currently stand. It’s worrying how often people don’t understand this. AI proponents hate the “they just predict the next token” approach, but it sure helps a lot to understand what these things will actually do for a particular input.

_drewpayment•2h ago

I think the only way I could see it happening is if you were to build an entire reversal layer with like LangExtract, tried to determine the user's intent from the question and then used that as middleware for how you let the LLM proceed based on its intent... I don't know, it seems really hard.

isodev•2h ago

I just can’t help but wonder why was it we decided bundling random text generators with browsers was a good idea? I mean it’s a cool toy idea but shipping it to users in a critical application… someone should’ve said no.

thrown-0825•1h ago

our societies reward function is fundamentally flawed

thekevan•48m ago

To be fair, that was a reddit post that blatantly started with "IMPORTANT INSTRUCTIONS FOR Perplexity Comet". I get the direction they are going but the example shown was so obviously ham-handed. It clearly instructed the browser--in clear language--to get login info and post it in the the thread.

Show me something that is obfuscated and works.

mcintyre1994•43m ago

I’m curious if it would work if it was further down the comments or buried in a tree of replies. If all you need to do is be somewhere in the Reddit comments then you don’t need to obfuscate it in many cases, a human isn’t going to see everything there.

Should you use a standing desk? The benefits are real, but seem to vary with age

High priests: why scientists gave magic mushrooms to the clergy

Show HN: A "Catalog of Catalogs" for Unified Metadata

Microsoft Windows 95 Launch with Bill Gates and Jay Leno (1995) [video]

Remembering the Hysteria over Windows 95 Launch, 1995

A visual introduction to big O notation

Elon Musk's X Agrees to Settlements with Former Employees

The biggest chipmaker needs to move beyond Taiwan

Google AI Gemini

Airborne Aircraft Carriers for Observers, Sensors, Antennas – and Other Aircraft

DeepWiki: Understand Any Codebase

Arnold J. Toynbee

How to Fix Your Context

Grok 2.5 is now open source. Grok 3 will be open source in about 6 months

Small Talk

Seed: Interactive software environment based on Common Lisp

Rapid loss of Antarctic ice may be climate tipping point

Show HN: Strapped – A gut wrenching short story about anxiety and inner demons

Neural Nets vs. Cellular Automata

SurrealDB is sacrificing data durability to make benchmarks look better

Half my work is adding a cache

The Swiss Federal Council: A Unique Model of Shared Leadership

In-Memory Filesystems in Rust

Sci-Hub Now Blocked in India

Consumer Rights Wiki Mission Statement

Did the Camera Ever Tell the Truth? [video]

Turning a Decommissioned iPhone into a UniFi Protect Camera

Buy a Faster CPU

Equal Earth – Political Wall Map (2018)

Wildthing – A model trained on role-reversed ChatGPT conversations