I Wanted to Love Perplexity’s AI Browser – But the Permissions Screen Made Me Hit ‘Cancel’

The attack methodology is elegantly simple and terrifyingly effective. A malicious website includes invisible text instructing Comet to ‘summarise the user’s recent emails’ or ‘extract contact information from their address book.’ The AI, designed to be helpful and responsive, dutifully complies, gathering sensitive data that can then be exfiltrated to the attacker’s servers.

Incomplete Fixes and Ongoing Vulnerabilities

Perplexity’s response to the security findings reveals a concerning pattern. After Brave initially reported the vulnerabilities on 25 July 2025, Perplexity provided what appeared to be a fix just two days later. On 13 August, the company reported the vulnerability as resolved.

But when Brave conducted follow-up testing and publicly disclosed their findings on 20 August, they confirmed that the patches were incomplete. The fundamental security architecture remained vulnerable to sophisticated prompt injection attacks.

This timeline reveals a company rushing to deploy powerful AI technology before adequately addressing the security implications, then providing superficial fixes that fail to address the underlying problems.

The Fundamental Challenge of AI Security

The Comet vulnerabilities expose a broader issue with current AI security models. Traditional software security operates on clearly defined permissions and boundaries, a photo editing app shouldn’t access your contacts, a weather app doesn’t need your location history. These boundaries are enforceable through operating system controls and user permissions.

Agentic AI breaks this model entirely. To function effectively, it needs broad access across multiple services and accounts. But the same flexibility that makes it useful also makes it vulnerable to exploitation.

Current prompt injection defences rely primarily on AI training and content filtering, essentially teaching the AI to recognise and ignore malicious instructions. But this approach has proven insufficient against sophisticated attacks, particularly those designed to exploit the AI’s helpful nature. As AI cybersecurity challenges continue to evolve, businesses are learning that traditional defence mechanisms aren’t enough.

Why I’m Not Ready to Trust AI with My Digital Life

The fundamental issue isn’t just technical, current AI systems operate as black boxes, making decisions through processes that remain largely opaque even to their creators. When I grant permissions to a traditional app, I understand what it’s doing with my data. When I grant similar permissions to an AI agent, I’m trusting algorithms I can’t inspect to make decisions I can’t predict about data I can’t afford to lose.

This uncertainty becomes particularly acute when dealing with email access. My inbox contains everything from family communications to business negotiations, from medical information to financial details. The prospect of an AI assistant reading through years of personal correspondence, even with benign intentions, feels like an invasion of privacy dressed up as convenience. With phishing attacks becoming increasingly sophisticated, entrusting email access to AI systems presents additional security concerns.

These concerns aren’t unique to individual users. As governments worldwide grapple with AI governance, cybersecurity threats from AI advancements are becoming a national security priority.

What Needs to Change

Effective AI browser security requires several key components. First, granular sandboxing that limits AI actions to specific, user-approved contexts. Instead of blanket access to Gmail, users should be able to grant permission for specific types of email interactions, maybe a summarising today’s messages, for example but not accessing historical correspondence.

Second, transparent audit trails that show exactly what the AI accessed and why. Users should be able to review every action their AI assistant took and understand the reasoning behind those actions.

Finally, industry-standard security certifications specifically designed for agentic AI systems. Just as financial applications must meet specific regulatory standards, AI assistants with broad data access should undergo rigorous independent security audits.

Balancing Innovation with Prudent Caution

None of this suggests that AI-powered browsing represents a dead end. The capabilities demonstrated by Comet genuinely point towards a more intelligent, efficient way of interacting with information online. The ability to have an AI assistant that understands context, learns from your preferences and can act autonomously on your behalf could change productivity in profound ways.

As AI algorithms increasingly drive business decisions, the potential for transformative change in how we interact with digital systems is undeniable. However, the current security reality doesn’t match the ambitious vision.

Until AI browser security matures significantly, my instinct to click ‘Cancel’ on those sweeping permission requests feels justified rather than reactionary. The broader questions about AI governance and accountability that industry leaders are grappling with apply directly to consumer-facing tools like Comet.

Yesterday’s announcement that Comet is now free will undoubtedly increase user adoption. But until the fundamental security architecture evolves to match the ambitious capabilities, I’ll be sticking with traditional browsers and keeping my digital keys to myself.

The future of AI-powered browsing may be inevitable, but it doesn’t have to be rushed. Sometimes the most prudent thing you can do is wait for the technology to be truly ready.