PerplexedBrowser: Accepting a Meeting or Handing Your Local Files to an Attacker?

PerplexedBrowser- Accepting a Meeting Can Also Mean handing your local files to an attacker

How a routine calendar invite enabled silent local file access and data exfiltration

Note: This post is part of a coordinated disclosure by Zenity Labs detailing the PleaseFix vulnerability family affecting the Perplexity Comet Agentic Browser. This blog focuses on browser-level autonomous agent execution and session compromise. A companion post examines how these flaws can cascade into downstream agent-authorized workflows, including environments where AI agents are permitted to access and operate password management tools such as 1Password.

Read the companion post here: PerplexedBrowser: Perplexity’s Agent Browser Can Leak Your Personal PC Local Files

• Vulnerability family: PleaseFix
• Vulnerability subfamily: PerplexedBrowser
• Affected environment: Perplexity Comet agentic browser
• Core issue: Insufficient isolation between user commands and untrusted input, ungated access to the user’s local filesystem by an autonomous agent, and allowing file reads and actions without explicit user approval
• Attack vector: Attacker-controlled or manipulated content that causes the agent to execute a routine task and access local resources
• Impact: Full read access to the user’s local files through the agentic browser, with silent exfiltration of data directly to attacker-controlled endpoints
• Status: Fixed prior to public disclosure

Agentic browsers promise to change how we work. Instead of clicking, copying, and navigating manually, users can ask an agent to read pages, accept meetings, follow links, and take actions on their behalf. Tools like Perplexity Comet represent a new class of software: not just browsers, but autonomous operators with access to authenticated sessions, local resources, and enterprise data.

That power also introduces the need for a fundamentally new security model.

Traditional browsers are constrained by design. They can’t autonomously access the local file system, chain actions across tools, or read and interpret page content as instructions. Agentic browsers do all three.

Zenity Labs has discovered PleaseFix, a family of critical vulnerabilities affecting agentic browsers across multiple vendors. This blog focuses on one of three vulnerabilities identified in the PerplexedBrowser subfamily, which impacts Perplexity Comet. Rather than targeting individual applications, these issues exploit the execution model and trust boundaries of AI agents themselves, allowing attacker-controlled content to trigger autonomous behavior across connected tools and workflows.

The Fundamental Risk of Agentic Browsers

Agentic browsers operate at the intersection of three trust boundaries: untrusted web content, high-privilege user identity, and autonomous decision-making driven by LLMs. Unlike traditional browsers, agentic browsers read and interpret full page content, extract interactive elements, and decide which actions to take next. As a result, any webpage, calendar invite, or embedded content becomes part of the threat landscape.

As highlighted by recent industry analysis, including TechCrunch’s coverage of AI browser risks, this model dramatically expands the attack surface. A single malicious instruction hidden in otherwise benign content can redirect the agent’s intent and cause it to take actions the user never approved.

Zenity Labs set out to test how far this risk could be pushed in real-world conditions.

PerplexedBrowser- File System Exfiltration

PerplexedComet exploits a routine workflow most users trust: accepting a calendar invite. By weaponizing this everyday interaction, an attacker can hijack the agentic browser’s intent, bypass browser safeguards, access the local file system, and exfiltrate sensitive data without the user’s awareness.

At a high level, PerplexedComet allows an attacker to:

• Inject malicious instructions into a calendar event
• Hijack an agentic browser’s intent during a normal user task
• Bypass browser safeguards and access the local file system
• Exfiltrate sensitive data without user awareness

The entire attack completes in under a minute.

Impact: Why This Vulnerability Matters

The most important takeaway from PerplexedComet is not that credentials were leaked in a lab setting. It is that agentic browsers collapse the boundary between personal systems, enterprise access, and untrusted content in ways traditional defenses were never designed to handle.

Had this vulnerability not been discovered, attackers could have moved from a single calendar invite to full local access in seconds.

Enterprise Impact

In an enterprise environment, this attack could have led to:

• Credential theft from local files, including developer secrets, cloud tokens, SSH keys, or API credentials
• Lateral movement into internal systems such as GitHub, CI/CD pipelines, ticketing systems, or cloud consoles
• Silent exfiltration of sensitive documents, source code, customer data, or internal strategy files
• Abuse of trusted workflows like meeting invites and collaboration tools

Because the agent acts on the user’s behalf, many of these actions would appear legitimate in logs. There is no malware, no exploit payload, and no suspicious download. The browser agent simply does what it believes is required to complete a task.

Personal Impact

The same attack pattern could expose:

• Personal email credentials
• Password manager exports
• Financial documents or tax records
• Private photos or personal notes
• Authentication tokens for consumer cloud services

What makes this particularly dangerous is the speed and invisibility of the attack. In under a minute, sensitive files can be accessed and transmitted without triggering traditional browser warnings or requiring explicit user approval.

A New Class of Risk Where Detection is Not Enough

This vulnerability does not rely on tricking the user. It relies on tricking the agent.

Although Comet later recognized that something was wrong, the recognition came too late. The data had already left the machine.

As soon as browsers become autonomous, intent becomes the new attack surface. If attackers can redirect what the agent believes it is supposed to do, they can bypass controls designed for manual interaction.

The most concerning aspect of PerplexedComet is that detection did occur. Comet surfaced internal safety warnings during execution. The failure was not awareness, but control.

Once the agent committed to a workflow, it had no safe way to abort before damage occurred. This gap between recognition and prevention is where attackers thrive.

How Zenity Secures AI Agents Everywhere

Zenity approaches agentic browser security with defense in depth, providing visibility and control across the full agent lifecycle.

Discover Agentic Browsers Everywhere

Zenity automatically identifies agentic browsers such as Comet, ATLAS, Dia, and other AI-powered tools across managed and unmanaged devices, helping teams get ahead of shadow AI.

Endpoint-Level Protection

Zenity’s endpoint agent provides visibility where these attacks occur. It runs with least-privileged permissions, minimal performance impact, and can be deployed silently through standard UEM tools.

Real-Time Guardrails

Security teams can define policies to block risky or unauthorized actions before they execute, including data exposure and unsafe tool use.

Research-Driven Detection

Zenity Labs research informs detections aligned to real agent behavior, covering indirect prompt injection, memory poisoning, identity risk, lateral movement, data disclosure, and destructive actions.

Responsible Disclosure

Zenity Labs followed responsible disclosure practices and worked closely with Perplexity prior to publication.

We are sharing these findings to help the industry better understand the real risks of agentic browsers and to encourage more secure designs moving forward.

What Comes Next

Agentic browsers are here to stay. They will become more capable, more integrated, and more trusted. That makes security foundational, not optional.

Securing them requires visibility into where they run, intent awareness to understand what they are trying to do, and the ability to stop unsafe actions in real time. Zenity will continue researching, disclosing, and defending this rapidly evolving attack surface.

The PleaseFix family exists for a reason. What we disclosed here under the PerplexedBrowser subfamily represents one expression of a broader class of failures that emerge as agents gain autonomy and access. As agentic browsers continue to evolve, so do the ways these execution and trust boundaries can be crossed. Additional subfamilies within PleaseFix are already under active research, and future disclosures will explore how similar patterns manifest in other agentic environments.

Zenity Labs has published deeper technical analyses covering exploit mechanics, execution paths, and remediation considerations associated with the PleaseFix vulnerability family.

Read the full technical deep dives:

• PerplexedBrowser: Perplexity’s Agent Browser Can Leak Your Personal PC Local Files
• How Attackers Can Weaponize Comet to Takeover your 1Password Vault