Join
1
0 Comments

Inside ActiveFence’s Discovery: When AI Browsers Follow the Wrong Instructions

by Omri Hurwitz

AI has quietly threaded itself into everything we do online, from finishing our sentences to summarizing videos we didn't actually watch. Now it's moved into the browser itself, transforming a once-static tool into an interactive companion. This "agentic" experience makes the browser a co-pilot, one that is smart, responsive, and infinitely patient.

But as convenience increases, so does the cost of misplaced trust. When users assume the browser always acts on their behalf, it creates an unguarded channel between human intent and machine execution. According to ActiveFence's latest research, that channel can be influenced through subtle linguistic or contextual cues, signals that traditional cybersecurity tools aren't built to detect.

The Comet Launch and Its Promise

Perplexity has built its brand around credibility. Its AI-powered search engine gained a loyal following by giving summarized, referenced answers and minimizing hallucinations. Its new browser, Comet, extends that reliability into a full browsing experience, merging search, context, and conversation into a single interface.

Recently, Perplexity rolled out Comet to millions of users, initially through partnerships with students and PayPal, and now through a broader public launch. The company's aggressive growth strategy offers premium features for free for 12 months, designed to build trust and user dependency quickly. For most, Comet's responses "just work." That's exactly what makes this discovery so important.

When Rate Limits Become Loopholes

ActiveFence's testing began innocently enough: could the researchers influence Comet's trusted outputs using embedded instructions?

At first, the AI refused to cooperate, blocking several early attempts. But after the system's protections were reached, the behavior shifted. Certain embedded cues began to be interpreted by the AI in unexpected ways.

The behavior was inconsistent and puzzling. The researchers proposed three theories:

  1. Comet might be switching between multiple models

  2. Falling back to smaller or local models for free users

  3. Relying on cached responses.

Each explanation pointed to the same underlying risk: different model behaviors can create gaps that allow unexpected instructions to slip through. It's a subtle yet serious reminder that high-level design decisions can unintentionally create opportunities for abuse.

From Curiosity to Exploitation

Once the prompts were firing reliably, ActiveFence pushed further. They showed that under certain conditions, the AI could render elements that mimicked native browser features without realizing they originated from hidden instructions.

What makes this so potent is that the assistant doesn't technically "break." It's doing what it's supposed to: summarizing and rendering what's on the page. However, those same design choices turn ordinary web elements into vectors for deception. The vulnerability isn't a coding error, but a reflection of misplaced confidence in obedient automation.

Hiding in Plain Sight: Google Workspace Edition

The team's next challenge was to make the attack stealthier. Hosting payloads on custom pages was impractical, so they experimented with embedding prompts within ordinary document properties and metadata, which are places users rarely see but AI systems often read.

This last method proved devastatingly effective. Because AI agents interpret numerous behind-the-scenes signals to inform responses, prompts hidden in these spaces can influence behavior without ever appearing visually. In other words, attackers can hide in the same layers that make agentic tools feel intuitive.

Turning Normal AI Behavior Against Itself

ActiveFence is clear: this isn't a "bug" so much as a consequence of normal AI behavior. Comet is designed to summarize, interpret, and render markdown. Those functions are essential for usability, but they also enable the execution of malicious instructions. Even when Comet recognized a threat and refused to summarize it, users were left confused, losing tokens and trust in the process.

That's the paradox of AI-powered browsing: the same flexibility that makes these tools powerful also makes them vulnerable to linguistic manipulation.

A Mirror for the Industry

The Comet vulnerability highlights the rapid pace of the AI ecosystem's evolution. As ActiveFence's research shows, "intelligence" isn't the same as "safety." If agentic tools are going to live in our browsers, they must be built to discern not just what users say, but who's really speaking through the page.

Avatar for Omri Hurwitz Omri Hurwitz
on October 14, 2025
Say something nice to OmriHurwitz…
Post Comment
Trending on Indie Hackers
I spent $0 on marketing and got 1,200 website visitors - Here's my exact playbook User Avatar 68 comments Veo 3.1 vs Sora 2: AI Video Generation in 2025 🎬🤖 User Avatar 30 comments I built eSIMKitStore — helping travelers stay online with instant QR-based eSIMs 🌍 User Avatar 21 comments 🚀 Get Your Brand Featured on FaceSeek User Avatar 20 comments Day 6 - Slow days as a solo founder User Avatar 16 comments From side script → early users → real feedback (update on my SaaS journey) User Avatar 11 comments