Perplexity Comet leaks your entire browsing history to their servers, and there’s no way to turn it off.

Screenshot of Proxyman showing leaked URL

Comet’s security and privacy posture is terrible. Much electronic ink has been spilled over Comet’s security holes, including a lot by me, so I won’t go into that too much here except to repeat that prompt injection attacks are essentially trivial to do. Until recently, you could ask Comet to summarize a Reddit post for you, and it could lead to a complete account take over. Maybe one day we’ll come up with better sandboxing for agentic browsing, but until then, you SHOULD NOT be using agentic browsing in any browser where you are logged into your banking or other sensitive accounts. If you’re using the ChatGPT Atlas browser, use logged out mode (and kudos to them for offering that UX affordance).

Disclamer: I lead privacy at Brave browser.

Leaking URLs to the backend

I dug through and turned off every single toggle in Comet browser’s Privacy and Security settings and found that Comet still leaks every URL you visit to their backend. I even turned off Comet Assistant, with no luck.

This is me simply navigating to my website in Comet: no prompting via AI, no asking questions, simply opening a URL.

Screenshot of Proxyman showing leaked URL

Incredibly, I don’t even think this is a bug, since Comet’s privacy policy says that they collect and store basically everything you do in the browser. At least, that’s how I interpet the following:

When you use Comet, we collect and store certain information locally on your system, including:

Interaction data, including browsing history information, such as URLs of pages that you visit, text, images, and other resources from those pages (collectively, “Browsing Data”), permissions you have granted to websites, the number of open tabs and windows, your search queries, records of what you download from websites, and cookies from websites you visit. We use interaction data to provide and improve Comet and recommend relevant content, including using AI tools to help quickly find answers to complex search queries.

That’s some interesting gymnastics with the word “locally”. On first read, I thought they were only storing and collecting information locally, but reading further I think what they really mean is that they “collect on their server, and ALSO store locally” (otherwise how do you “improve Comet and recommend relevant content”?). Extremely confusing at best.

Further on in the privacy policy, they say this:

However, you have the option to block Comet from using this information, as well as browsing history, to improve Comet and search functionality.

The most charitable interpretation I have here is that they will still collect all your browsing data, but they pinky-promise to not do anything with it, iff you proactively disable all the toggles.

Given that this seems like it’s working-as-intended and merely a case of terrible privacy practices and defaults, I didn’t bother reporting it to them.

It sucks that we’re increasingly inured to the sacrifice of our personal data on the altar of the AI-Moloch.

Screen recording

I made a screen recording to show how Comet leaks the URL on navigation to their backend. To be comprehensive, I did the following steps as setup:

Test setup

  1. Verify: the tool I’m using for inspecting HTTPS traffic (Proxyman) doesn’t have any existing recordings for my website (shivankaul.com) in Comet.
  2. Verify: comet://settings/privacy and comet://settings/security have reporting toggles turned off. This includes Improve search suggestions and Improve search results with external search engines.
  3. Do: clear all browsing data, to not bias results.
  4. Verify: the Comet version from comet://version is latest (at time of writing, 141.0.7390.55 on macOS arm64).

Test results

Then for my actual test, I did:

  1. Do: Open a new tab and manually type in shivankaul.com in Comet and press Enter.
  2. Do: Go to Proxyman
  3. Verify: 3 network calls to https://www.perplexity.ai/rest/autosuggest/list-autosuggest?version=2.18&source=default with a request body that contains "source_tab_url": "https://shivankaul.com/".

A positive note: Comet does adblocking!

It was cool to see that Comet uses Brave’s open-source adblock-rust engine and Brave’s filter lists to power their adblocking (though it took a few rounds of back-and-forth with their legal counsel to convince them to attribute the project correctly as required under MPL-2.0).

Screenshot of Comet's about page showing credits to adblock-rust

Screenshot of Comet's credit page showing Brave's list

I can think of two reasons for Comet shipping adblocking:

  1. Adblocking is a table-stakes feature for all browsers, especially newbie ones trying to gain any market share at all.
  2. Agentic browsing benefits from blocking unhelpful cruft on websites. Fewer “subscribe to my newsletter!!!” popups means fewer tokens used by your agent trying to dismiss them, and less likely it’ll get confused trying to find Thanksgiving recipes.

I’m guessing it’s a combination of both.

Sounds like ChatGPT Atlas also plans to ship opt-in adblocking soon. Third-party adblocking is great for security and privacy, so I’m excited to see more browsers offering it.