Zenity Labs Discloses PleaseFix Vulnerability Family in Perplexity Comet and Other Agentic Browsers

NEW YORK--(BUSINESS WIRE)--Zenity Labs today disclosed PleaseFix, a family of critical vulnerabilities affecting agentic browsers, including Perplexity Comet, that allow attackers to silently hijack AI agents, access local files and steal credentials within authenticated user sessions. The vulnerabilities can be triggered through malicious content embedded in routine workflows, enabling unauthorized actions without user awareness.

“This is not a bug. It is an inherent vulnerability in agentic systems,” said Michael Bargury, co-founder and CTO of Zenity. “Attackers can push untrusted data into AI browsers and hijack the agent itself, inheriting whatever access it has been granted.

Share

The disclosure includes PerplexedBrowser, a subfamily of vulnerabilities in the Perplexity Comet browser that consists of two distinct exploit paths. Both stem from indirect prompt injection techniques but produce materially different outcomes. The first enables zero-click agent compromise that grants access to the local file system and allows data exfiltration while the agent continues returning expected results to the user. The second abuses agent-authorized workflows to manipulate password manager interactions, resulting in credential theft or full account takeover without directly exploiting the password manager itself, such as 1Password.

Agentic browsers represent a new computing model. Unlike traditional browsers that primarily display content, agentic systems interpret instructions, retain authenticated context and autonomously execute actions across applications and services. PleaseFix demonstrates how this expanded capability introduces new security risks by extending user trust into automated workflows, exposing sensitive data, credentials and connected systems in ways existing browser and endpoint controls were not designed to detect.

Zenity Labs’ Discovery

Zenity Labs identified vulnerabilities that allow AI agents to operate autonomously within authenticated browser sessions. When an agent is asked to perform a routine task such as accepting a calendar invite, it can execute actions without human validation and inherit access to data, tools, and workflows the user has authorized. PleaseFix represents the evolution of ClickFix, a social engineering technique in which attackers trick users into executing malicious actions. In this case, the technique is applied to AI agents, allowing malicious actions to be triggered without human involvement.

Exploit 1: PerplexedBrowser: File System Exfiltration

In the first exploit, attacker-controlled content, such as a calendar invite, triggers autonomous execution in the Perplexity Comet browser when a user asks the agent to perform a routine task (a 0-click vulnerability). No prompts or user interaction are required. The agent autonomously accesses the local file system and exfiltrates the contents to an attacker-controlled endpoint, while still returning the expected response to the user.

Exploit 2: PerplexedBrowser: Credential Theft and Account Takeover via Password Managers

The second exploit also begins with an attacker-controlled trigger, allowing the attacker to assume agent privileges and abuse agent-authorized workflows that allow access to password management tools, like 1Password. Without exploiting password managers directly, attackers can manipulate agent task execution to steal individual stored credentials or take over the user’s 1Password account. These actions occur within a legitimate, authenticated session.

Zenity Labs responsibly disclosed the PleaseFix vulnerability and exploits to Perplexity and 1Password and shared findings related to downstream credential abuse with 1Password. Perplexity addressed the underlying browser-side agent execution issue prior to public disclosure. 1Password confirmed that the root cause resides in Perplexity’s browser execution model rather than in its own platform.

“This is not a bug. It is an inherent vulnerability in agentic systems,” said Michael Bargury, co-founder and CTO of Zenity. “Attackers can push untrusted data into AI browsers and hijack the agent itself, inheriting whatever access it has been granted. This is an agent trust failure that exposes data, credentials and workflows in ways existing security controls were never designed to see.”

Research Assets

• Zenity Labs technical deep dive: PerplexedBrowser: Perplexity’s Agent Browser Can Leak Your Personal PC Local Files

• Zenity Labs technical deep dive: PerplexedBrowser: How Attackers Can Weaponize Comet to Takeover your 1Password Vault

About Zenity

Zenity is the first security and governance platform purpose built for AI agents spanning SaaS, home grown platforms (Cloud) and end user devices (Endpoint). Trusted by Fortune 500 enterprises, Zenity helps security teams confidently adopt AI by delivering defense in depth with full lifecycle coverage, from agent discovery and posture management to real time detection, inline prevention and response. With an agent centric approach that prioritizes how agents behave, what they access and which tools they invoke, Zenity eliminates blind spots and enforces consistent policy and controls across environments so organizations can innovate with AI without compromising security. Learn more at www.zenity.io.