Researchers at Zenity Labs have disclosed a family of critical vulnerabilities, dubbed “PleaseFix,” affecting agentic browsers, including Perplexity Comet, that could allow attackers to hijack AI-powered browsing agents, access local files, and steal credentials from authenticated sessions.
In two technical write-ups published today, Zenity described how malicious content embedded in routine workflows (such as a calendar invite) can trigger indirect prompt injection.
Prompt injection is a technique where untrusted content is interpreted as instructions by an artificial intelligence model. In this case, the attack requires no additional clicks from the victim.
According to Zenity, one exploit path, called “PerplexedBrowser”, enabled zero-click compromise of the Comet agent. When asked to complete a legitimate task, the model could be manipulated into navigating to local paths, accessing and exfiltrating user files to an attacker-controlled server, all while returning an expected user response.
A second exploit chain abused agent-authorized workflows to access data within password management software such as 1Password. Zenity reported that an attacker could trick the agent into accessing stored credentials or potentially take over a vault without exploiting any vulnerability in affected password managers.
Hard Boundaries Introduced After Disclosure
Zenity confirmed it responsibly disclosed the findings to Perplexity and 1Password between October 2025 and February 2026, respectively.
Perplexity reportedly implemented a deterministic control preventing its agent from autonomously accessing file:// URLs, effectively blocking local file system traversal-based techniques. The company also strengthened prompt-injection detection and added enterprise guardrails allowing administrators to disable the agent on designated sensitive domains.
1Password stated that the root cause resided in the browser’s execution model rather than its own platform. It later introduced additional hardening measures and published a public advisory.
Zenity argued that soft mitigations like user confirmations, are not enough on their own, warning that decision fatigue could undermine security controls. For CISOs and security leaders evaluating AI-enabled browsers, the researchers recommend adopting a zero-trust posture and enforcing hard boundaries by default around sensitive systems.
