LayerX’s write-ups separate two associated vectors. The primary is the BioShocking prompt-injection sample: a webpage injects hidden prompts and reminiscence entries that reframe logic (for instance, asserting false axioms) so the assistant treats subsequent malicious directions as legitimate sport goals, then copies a “hidden code” that’s truly delicate knowledge. The second, described in LayerX’s “CometJacking” put up, demonstrates a URL-query assault towards Perplexity’s Comet the place specifically crafted question parameters power the agent to learn from its reminiscence/collections, encode outcomes (for instance, base64), and POST them to an attacker-controlled endpoint. LayerX paperwork that an unrecognized assortment parameter prompted the assistant to learn saved connector content material (e-mail/calendar/contacts) slightly than carry out a reside internet search, enabling exfiltration with a single click on.
Editorial evaluation: These are distinct however complementary failure modes: (1) contextual reframing undermining intent filters, and (2) agent flows that settle for distant parameters and prioritize reminiscence/connector reads. Each exploit the identical core reliance on context and the shortage of sturdy provenance or semantic integrity checks on inputs (URL parameters, page-injected prompts, and reminiscence entries).
For practitioners: Observe patterns to observe and mitigate, strict parsing and whitelisting of URL/query-driven directions, provenance metadata for reminiscence reads, output sanitization that blocks connector secrets and techniques from being copied, and defense-in-depth for connector scopes. Trade groups constructing or integrating AI browsers and agentic assistants ought to deal with connector knowledge and reminiscence as high-risk I/O and instrument exfiltration detection (for instance, outgoing POSTs containing encoded connector knowledge).
What to look at (reported/open): LayerX has revealed PoCs and disclosure timelines; distributors’ public responses differ by product and are nonetheless evolving. Observers ought to look ahead to vendor advisories, revealed patches, and unbiased replica outcomes from third-party auditors.