Logo
Home
News
Tech Grid
Interviews
Anecdotes
Think Stack
Press Releases
Articles
  • Agentic AI

Zenity Discloses PleaseFix Flaws in Perplexity Comet

Zenity Discloses PleaseFix Flaws in Perplexity Comet
  • by: Business Wire
  • |
  • March 4, 2026

Zenity Labs has publicly disclosed PleaseFix, a family of critical vulnerabilities impacting agentic browsers, including Perplexity Comet. These flaws enable attackers to perform zero-click hijacking of AI agents, exfiltrate local files, and steal credentials within authenticated user sessions, including interactions with password managers such as 1Password.

Quick Intel

  • Zenity Labs reveals PleaseFix vulnerabilities in agentic browsers like Perplexity Comet, allowing silent AI agent hijacking via malicious content in routine workflows.
  • Exploits include zero-click local file system access and data exfiltration, where the agent returns normal results to the user while leaking sensitive information.
  • A second exploit abuses agent-authorized workflows to manipulate password manager interactions, enabling credential theft or full account takeover without directly targeting the password manager.
  • The vulnerabilities stem from indirect prompt injection techniques, highlighting inherent risks in agentic systems that autonomously execute actions with inherited user privileges.
  • Perplexity has addressed the browser-side agent execution issue before public disclosure; 1Password confirmed the root cause lies in Perplexity’s model, not its platform.
  • PleaseFix evolves from social engineering techniques like ClickFix, now targeting AI agents directly and bypassing human validation in authenticated sessions.

Critical Risks in Agentic Browser Architecture

Agentic browsers introduce a new computing paradigm where AI agents interpret instructions, maintain authenticated context, and autonomously perform tasks across applications and services. Unlike traditional browsers focused on content display, these systems extend user trust into automated workflows, creating expanded attack surfaces not adequately covered by existing browser or endpoint security controls.

Zenity Labs identified scenarios where attacker-controlled content, such as a malicious calendar invite, triggers autonomous agent execution during routine user requests. This results in zero-click compromises that inherit the full scope of user-authorized access, including local files, tools, and connected services.

“This is not a bug. It is an inherent vulnerability in agentic systems,” said Michael Bargury, co-founder and CTO of Zenity. “Attackers can push untrusted data into AI browsers and hijack the agent itself, inheriting whatever access it has been granted. This is an agent trust failure that exposes data, credentials and workflows in ways existing security controls were never designed to see.”

Exploit Details: PerplexedBrowser Subfamily

The PleaseFix family includes PerplexedBrowser, a set of vulnerabilities specific to Perplexity Comet, leveraging indirect prompt injection with two primary exploit paths:

  • File System Exfiltration — Malicious content triggers the agent to autonomously access and exfiltrate local PC files to an attacker-controlled endpoint. The exploit occurs without user prompts or interaction, and the agent continues delivering expected responses, masking the unauthorized activity.
  • Credential Theft and Account Takeover — Attackers assume agent privileges to manipulate authorized workflows involving password managers like 1Password. This enables theft of individual credentials or full vault takeover within legitimate authenticated sessions, without exploiting the password manager platform directly.

These techniques demonstrate how agentic capabilities amplify traditional attack vectors, shifting from user-targeted social engineering to direct agent manipulation.

Zenity Labs responsibly disclosed the vulnerabilities to Perplexity and 1Password. Perplexity resolved the core browser execution issue prior to public release, while 1Password validated that the vulnerability originates in Perplexity’s agent model.

Research Assets

  • Zenity Labs technical deep dive: PerplexedBrowser: Perplexity’s Agent Browser Can Leak Your Personal PC Local Files
  • Zenity Labs technical deep dive: PerplexedBrowser: How Attackers Can Weaponize Comet to Takeover your 1Password Vault

About Zenity

Zenity is the first security and governance platform purpose built for AI agents spanning SaaS, home grown platforms (Cloud) and end user devices (Endpoint). Trusted by Fortune 500 enterprises, Zenity helps security teams confidently adopt AI by delivering defense in depth with full lifecycle coverage, from agent discovery and posture management to real time detection, inline prevention and response. With an agent centric approach that prioritizes how agents behave, what they access and which tools they invoke, Zenity eliminates blind spots and enforces consistent policy and controls across environments so organizations can innovate with AI without compromising security.

  • CybersecurityAI AgentsAgentic BrowsersPerplexity
News Disclaimer
  • Share

Join 110k+ Avid Tech Readers!

Trending tech news, interviews & insights straight to your inbox.