In the AI arms race, search and productivity were only the beginning. Browsers are used by billions to access the internet and are now being reimagined with AI at their core. Companies like Perplexity are betting that users want a more intuitive web experience: one where the assistant doesn’t just find answers, but reads, interprets, and summarizes content in real time.
That evolution is being celebrated as the dawn of “agentic browsing.” However, ActiveFence has found that the very intelligence that makes these systems powerful can also make them dangerously obedient.
Comet’s Promise: Trust as a Feature
Perplexity’s Comet browser launched to much fanfare, promoted as an AI-native browsing experience. Millions of users were given early access through free trials and partnerships with PayPal and Venmo. Its premise is simple: a browser that doesn’t just display information but understands it.
Comet builds on Perplexity’s signature approach of credibility through transparency. Its answers cite sources, reducing the uncertainty that plagues most AI tools. Over time, that reliability has fostered user trust, which, ActiveFence has discovered, can be turned against the user.
ActiveFence’s Findings
In a controlled investigation, ActiveFence’s research team tested how Comet processes instructions hidden in web content. The goal wasn’t to exploit or expose users, but to observe behavior. What they discovered was that, under specific conditions, Comet’s assistant could be guided by prompts embedded in the pages it was summarizing.
In essence, Comet couldn’t distinguish what the user asked for and what the webpage told it to do. Instead, it followed both. This subtle confusion open a door where AI could display misleading information, suggest fake upgrade links, or even summarize malicious instructions as if they were legitimate.
The Anatomy of Trust Abuse
The problem isn’t malicious code or a technical bug. Rather, it’s misplaced trust. When an AI model is designed to be helpful, it’s also designed to obey. That obedience becomes a liability when instructions can come from anyone, not just the user.
The research highlights a new type of social engineering: manipulating AI assistants through words, not exploits. A single hidden instruction embedded in a page or document can make an AI behave in ways the developer never intended. It’s subtle, scalable, and far more human than traditional hacking.
A Broader Industry Wake-Up Call
The implications of the research reach far wider. As AI becomes integrated into browsers, document editors, and enterprise tools, these systems are learning to “read” everything users see. Each interpretation carries the potential for unseen influence.
This shift marks a new security frontier: defending the layer between user intent and AI interpretation. It’s no longer about malware or network breaches; it’s about how AI decides what to trust.
The Uneven Playing Field
One detail that stood out in ActiveFence’s findings was the difference between user tiers. Comet’s paid users appear less susceptible to these manipulations, likely because they have access to models with stricter guardrails and configurable settings. Free-tier users, meanwhile, rely on lighter protections.
The researchers argue that this kind of security divide is unsustainable. In a world where AI-powered browsers are expected to serve everyone, basic safeguards should not be a luxury. “Trust,” they note, “shouldn’t be paywalled.”
The Road Ahead
To Perplexity’s credit, there’s no evidence that these vulnerabilities have been exploited in the wild. But ActiveFence’s research is about the principle that any system designed to “act” on a user’s behalf must also question what it’s being told.
The rise of AI browsers is inevitable. They’re fast, capable, and increasingly essential to how we consume information. But as ActiveFence reminds the industry, security cannot lag behind innovation. In an ecosystem built on trust, the smallest hidden prompt can have the loudest consequences.
