AI Agent Vulnerabilities Enable Hijacking in Perplexity Comet Browser

Zenity Labs disclosed "PleaseFix," a family of critical vulnerabilities in agentic browsers like Perplexity Comet. These flaws allow attackers to hijack AI agents silently to steal local files and steal credentials from integrated services. 

The vulnerabilities exploit the core design of agentic systems, which interpret untrusted content as executable instructions. This "intent collision" allows malicious prompts to override user intent without any clicks or warnings, turning routine tasks into attack vectors.

Vulnerabilities summary:

• PerplexedBrowser-File - A zero-click indirect prompt injection vulnerability that allows local file exfiltration. Attackers hide instructions in calendar invites that force the agent to use the file:// scheme to browse the host's directory structure. The agent then reads sensitive files and sends the data to an attacker-controlled server by appending it to URL parameters during a standard page load.
• PerplexedBrowser-Auth - A critical authentication abuse vulnerability that targets integrated password managers like 1Password. The agentic browser uses the user's active session to navigate the password vault and reveal stored secrets. Attackers can steer the agent to change the account password and extract the Secret Key, leading to a total account takeover.

The impact of these attacks is extensive because agentic browsers operate with the user's full identity and permissions. Attackers can steal sensitive data including local configuration files and API keys, plain-text notes and password lists, 1Password vault credentials and Secret Keys and Account recovery data and email addresses

Because the agent returns benign output to the user, these actions occur entirely in the background without detection, bypassing traditional endpoint security controls.

The vulnerabilities primarily affect the Perplexity Comet browser on macOS, Windows, and Android. Zenity Labs coordinated with both Perplexity and 1Password to address the risks before public disclosure. Perplexity responded by implementing a "hard boundary" that prevents the agent from accessing local file paths and improved its prompt injection detection. 1Password introduced new hardening options to prevent AI agents from automatically signing into the web vault or autofilling sensitive fields without explicit user confirmation.

Users should update Perplexity Comet immediately to apply the latest security patches. Administrators should manually disable the agent on sensitive domains like 1Password through the browser's assistant settings. It is also vital to enable "Ask before filling" in password manager settings to block autonomous credential access. Since these systems are non-deterministic, organizations should adopt a zero-trust approach toward AI agents that have access to sensitive corporate data and authenticated web sessions.