Researchers have identified a new family of vulnerabilities affecting the Perplexity Comet agentic browser. Two distinct exploit paths enable zero-click agent compromise and credential theft or full account takeover via authorized workflows, including interactions with 1Password.
According to Zenity Labs, the specialized threat research and intelligence arm of cybersecurity company Zenity, PerplexedComet, a zero-click attack against the Comet browser, causes leakage of local files from a user’s machine.
PerplexedComet is part of PleaseFix, a family of critical vulnerabilities that Zenity Labs has identified across agentic browsers from multiple vendors.
Exploiting trust boundaries of AI agents
The newly discovered issues don’t even target a single application bug, the researchers say.
“The attack requires no exploit, no user clicks, and no explicit request for sensitive actions. Comet performs each step as part of what it believes is a legitimate task delegated by the user,” Zenity Labs said in a blog post.
Since the attack is, once again, a zero-click attack, a benign calendar invitation is sufficient. Once the user asks Comet to accept the meeting, the rest of the flow executes without further interaction.
Through indirect prompt injection embedded in trusted calendar content, Comet – recently introduced by Perplexity and available for free on macOS, Windows, and Android – is manipulated to access the local file system, browse directories, open sensitive files, and read their contents.
The agent then exfiltrates the file contents to an external attacker-controlled website using standard browser navigation.
“They exploit the execution model and trust boundaries of AI agents, allowing attacker-controlled content to trigger autonomous behavior across connected tools and workflows,” Zenity Labs said in the post.
In one execution path, the researchers said, Comet issued a warning after the data had already been transmitted. In another, running fully in the background, no warning was shown at all.
Not a 1Password-specific vulnerability
And since Comet doesn’t enforce a hard boundary between user intent and untrusted third-party content and isn’t actually prevented from taking sensitive actions, the agentic browser can be induced to navigate the 1Password Web Vault, reveal stored secrets, and exfiltrate credentials to an attacker-controlled endpoint.
Additionally, “the same execution path can be escalated to a full 1Password account takeover, including changing the account password and extracting recovery material such as the email address and Secret Key,” Zenity Labs said.
The underlying issue is broader, though, and no vulnerability was identified in 1Password: the root cause resides in the browser-side agent execution model.
Check if your data has been leaked
In other words, this is not a 1Password-specific vulnerability but an abuse of the security model of AI browsers since this class of attack takes advantage of the agentic browser inherently acting on the user’s behalf.
“Enterprises are increasingly deploying agentic browsers and AI assistants to automate workflows across applications,” said Zenity Labs researchers, who worked with both Perplexity and 1Password to fix the issues.
“PleaseFix demonstrates how autonomous execution within authenticated sessions can be manipulated, allowing attackers to inherit delegated permissions and operate inside legitimate trust boundaries.”
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked