A Browser That Does What It's Told

Perplexity's Comet is an "agentic browser" - a web browser with a built-in AI agent that can autonomously perform tasks on the user's behalf. The idea is that instead of manually navigating websites, filling out forms, and managing tabs, you can tell the AI agent what you want done and it handles the rest. Need to accept a calendar invite? Ask Comet. Want to look something up? Comet will browse for you, using your authenticated sessions, your credentials, and your local file system access.

The problem, as security researchers at Zenity Labs demonstrated in March 2026, is that Comet's agent will also do what an attacker tells it to do - as long as the instructions are hidden cleverly enough.

A Calendar Invite With Teeth

The attack chain that Zenity Labs documented - dubbed "PleaseFix," an evolution of the social engineering technique known as "ClickFix" - begins with something utterly mundane: a calendar invite. The invite looks entirely legitimate on its face. It contains real-looking names, job titles, and meeting details. Nothing obviously suspicious. The kind of thing that lands in your inbox dozens of times a week.

But below the visible content, separated by large blocks of whitespace that push the malicious payload well off-screen, the invite contains hidden instructions. These instructions are crafted to exploit Comet's internal architecture. The researchers had first extracted Comet's system prompt and discovered that the agent uses a <system_reminder> structure internally to prioritize instructions. By mimicking this format in the calendar invite, the attackers' instructions got treated as high-priority system directives rather than untrusted user content.

A user asks Comet to "handle this invite," and the attack begins silently in the background. No clicks, no confirmation dialogs, no warnings.

The researchers also deployed an additional evasion tactic: writing the hidden instructions in Hebrew rather than English, which reduced the likelihood of triggering English-language safety filters. The instructions were further disguised using narrative framing - presented as a story about "Alice asking her assistant for help" - which made them less likely to be flagged as adversarial content by generic safety mechanisms.

Two Exploits, One Trust Failure

Zenity Labs documented two distinct exploit paths, both triggered by the same kind of innocuous-looking content.

Exploit 1: File System Exfiltration. Once triggered, Comet's agent navigated the user's local file system using file:// URLs, opening sensitive files such as configuration files, API keys, and credentials. The contents were then exfiltrated to an attacker-controlled server by embedding the stolen data in URL parameters - which, to the browser, looks indistinguishable from a normal page request. The agent even returned the expected response to the user (the calendar invite was "handled"), so the victim had no indication anything was wrong.

Exploit 2: 1Password Credential Theft. The second exploit was motivated by a September 2025 partnership between Perplexity and 1Password that integrated the password manager directly into Comet's browser environment. This was particularly consequential because 1Password's browser extension stays unlocked for up to eight hours by default and automatically signs the user into the web interface. Any process running in the authenticated browser context - including Comet's AI agent - inherits access to the entire password vault.

In the demonstrated attack, the agent navigated to the user's 1Password Web Vault, searched stored entries, exposed passwords, and sent the credentials to the attacker. In an escalated variant, the agent changed the account password, extracted the email address and Secret Key, and achieved full account takeover. Multi-factor authentication would block the full takeover scenario, but not the extraction of individual vault entries - which is plenty damaging on its own.

Intent Collision: The Fundamental Problem

What makes PleaseFix particularly unsettling is that none of the demonstrated attacks exploit a traditional software vulnerability. Comet was operating within its intended capabilities, using the user's authenticated browser context. The agent wasn't "hacked" in the conventional sense - it was simply following instructions it couldn't distinguish from the user's own requests.

Zenity calls this problem "Intent Collision." The AI agent receives both legitimate user instructions ("handle this calendar invite") and attacker instructions (hidden in the invite's content) and merges them into a single execution plan. From the agent's perspective, everything it's doing is a legitimate task. This is the core tension in agentic AI systems: the more autonomy you give the agent, the more damage it can do when it can't tell friend from foe.

As Michael Bargury, co-founder and CTO of Zenity, put it: "This is not a bug. It is an inherent vulnerability in agentic systems. Attackers can push untrusted data into AI browsers and hijack the agent itself, inheriting whatever access it has been granted."

This framing matters because it redefines the threat model. Traditional browser security focuses on preventing unauthorized code execution. With agentic browsers, the "code" is natural language, the "execution" is the agent following instructions, and the "authorization" is whatever the user has already granted. The attack surface isn't a buffer overflow or a SQL injection - it's the gap between what the user meant and what the agent understood.

The Patch, and Its Limits

Zenity Labs reported the vulnerabilities to Perplexity and 1Password through responsible disclosure in October and November 2025. Both companies responded constructively, according to the researchers.

Perplexity implemented a hard block that prevents Comet from accessing file:// paths at the code level - meaning the restriction is enforced in the browser's source code rather than left as a decision for the language model to make. The researchers specifically praised this approach: Perplexity treats the agentic browser itself as an untrusted entity and restricts its capabilities architecturally.

However, Zenity found a workaround through the view-source:file:/// path after the initial patch, which forced Perplexity to ship a second fix in February 2026. This is a recurring pattern in security: the first patch plugs the obvious hole, and the researchers immediately find the adjacent hole that wasn't obvious until you started looking.

1Password introduced options to disable automatic sign-in and require confirmation before filling passwords, and published a security advisory. The company confirmed that the root cause resided in Perplexity's browser execution model rather than in its own platform - a reasonable distinction, though the practical effect for users is the same either way.

The catch: while Perplexity's hard block on file system access is active by default, the protections from 1Password and Comet's domain-blocking features still require manual configuration by the user. Anyone who doesn't dig into the settings remains exposed. This is the security industry's version of "we fixed it in the settings nobody reads."

The Agentic Trust Problem

PleaseFix is a case study in what happens when AI agents are granted broad permissions and then exposed to untrusted content - which, on the internet, is essentially all content. Calendar invites, emails, web pages, and documents are all potential vectors for the same class of attack. The calendar invite was just the researchers' chosen example.

The fundamental issue isn't Perplexity-specific. Any agentic system that processes external content while holding authenticated access to sensitive resources faces the same trust boundary problem. The agent needs broad capabilities to be useful, but those same capabilities become weapons when the agent's instructions are poisoned. It's prompt injection applied to an agent with real-world permissions, and the consequences scale with whatever access the agent has been granted.

Zenity's recommendation is a zero-trust approach toward agentic browsers: minimal access, maximum distrust. Prompt injection isn't a solved problem, and as AI systems accumulate more autonomy and more access to sensitive resources, the stakes of getting it wrong keep escalating.

For Perplexity, the silver lining is that the company responded quickly and made the right architectural choice by enforcing restrictions in code rather than relying on the language model's judgment. For the broader agentic AI ecosystem, PleaseFix is a warning that the convenience of having an AI agent handle your calendar and browse on your behalf comes with a trust model that nobody has fully figured out yet.