This 'Lethal Trifecta' Can Trick AI Browsers Into Stealing Your Data

This ‘Lethal Trifecta’ Can Trick AI Browsers Into Stealing Your Data

This ‘Lethal Trifecta’ Can Trick AI Browsers Into Stealing Your Data

Screenshot of Perplexity's Comet browser.

AI browsers have a critical flaw: They can’t tell safe commands from malicious text. Patches help, but guardrails are essential to keeping your data safe.

Written By
Grant Harvey
Grant Harvey
Aug 25, 2025

Remember when your biggest browser worry was accidentally clicking a sketchy ad? Well, the browser company Brave just exposed a vulnerability in Perplexity’s Comet browser that security experts are calling the “Lethal Trifecta”: When AI has access to untrusted data (websites), private data (your accounts), and can communicate externally (send messages).

Here’s what happened

  1. Researchers discovered they could hide malicious instructions in regular web content (think Reddit comments or even invisible text on websites).
  2. When users clicked “Summarize this page,” the AI would execute these hidden commands like a sleeper agent activated by a code word.
  3. The AI then followed the hidden instructions to:
    1. Navigate to the user’s Perplexity account and grab their email.
    2. Trigger a password reset to get a one-time password.
    3. Jump over to Gmail to read that password.
    4. Send both the email and password back to the attacker via a Reddit comment.
    5. Game over. Account hijacked.

Here’s what makes this extra spicy

This “bug” is actually a fundamental flaw in how AI works. As one security researcher put it: “Everything is just text to an LLM.” So your browser’s AI literally can’t tell the difference between your command to “summarize this page” and hidden text saying “steal my banking credentials.” They’re both just… words.

The Hacker News crowd is split on this. Some argue this makes AI browsers inherently unsafe, like building a lock that can’t distinguish between a key and a crowbar. Others say we just need better guardrails, like requiring user confirmation for sensitive actions or running AI in isolated sandboxes.

Advertisement

Why this matters

We’re watching a collision between Silicon Valley’s “move fast and break things” mentality and the reality that “things” now includes an agent who can access your bank account. And the uncomfortable truth = every AI browser with these capabilities has this vulnerability. Why do you think OpenAI only offers ChatGPT Agent through a sandboxed cloud instance right now?

Now, Perplexity patched this specific attack, but the underlying problem remains: How do you build an AI assistant that’s both helpful and can’t be turned against you?

Brave suggests several fixes

  1. Clearly separating user commands from web content.
  2. Requiring user confirmation for sensitive actions.
  3. Isolating AI browsing from regular browsing.

Until we figure all that out, maybe keep your AI browser away from your banking tabs.

Editor’s note: This content originally ran in the newsletter of our sister publication, The Neuron. To read more from The Neuron, sign up for its newsletter here. And, read a review of Comet.

Grant Harvey

Grant Harvey is the Lead Writer at The Neuron, where he leads daily coverage of artificial intelligence, emerging technologies, AI tools, and industry trends. His work focuses on helping business professionals understand how AI is transforming the workplace and how they can apply new technologies to improve productivity, decision-making, and business performance. Before specializing in AI, Grant spent more than five years covering emerging technology and digital innovation. He combines deep industry research with hands-on testing of AI tools, platforms, and workflows, providing practical insights that help readers separate meaningful advancements from hype. In addition to his editorial work, Grant brings experience from go-to-market and revenue leadership roles across technology startups, including positions in marketing, growth, and business development. This background gives him a unique perspective on how organizations evaluate, adopt, and scale new technologies. Grant is also a co-host of The Neuron: AI Explained podcast, where he breaks down complex developments in artificial intelligence for business audiences. He continues to expand his expertise through ongoing AI education, including MIT xPRO's Generative AI program, while actively exploring the latest advancements in AI applications, automation, and workplace technology. Through his writing and analysis, Grant helps business leaders, knowledge workers, and technology professionals stay informed about the rapidly evolving AI landscape and make smarter decisions about emerging technologies.