Executive Summary
In March 2026, Zenity Labs disclosed critical vulnerabilities in Perplexity's AI-powered Comet browser, collectively termed 'PleaseFix.' These flaws allowed attackers to exploit indirect prompt injections, enabling unauthorized access to local files and credential theft without user interaction. By embedding malicious prompts in trusted content, such as calendar invites, attackers could manipulate the AI agent to perform unauthorized actions, including exfiltrating sensitive data and compromising password managers like 1Password. Perplexity addressed these vulnerabilities following responsible disclosure, implementing fixes to prevent autonomous access to local file systems and unauthorized credential manipulation. This incident underscores the inherent security challenges in agentic AI systems, highlighting the need for robust safeguards against prompt injection attacks and the importance of continuous monitoring and updating of AI-driven applications to mitigate emerging threats.
Why This Matters Now
The 'PleaseFix' vulnerabilities in Perplexity's Comet browser highlight the urgent need for enhanced security measures in AI-driven applications. As AI systems become more integrated into daily workflows, the potential for exploitation through prompt injection attacks increases, posing significant risks to data integrity and user privacy. Organizations must prioritize the development and implementation of robust security protocols to safeguard against such vulnerabilities and ensure the safe deployment of AI technologies.
Attack Path Analysis
An attacker embeds a malicious prompt within a calendar invite, which, when processed by the AI browser, leads to unauthorized access and exfiltration of sensitive local files and credentials.
Kill Chain Progression
Initial Compromise
Description
The attacker sends a calendar invite containing a malicious prompt designed to exploit the AI browser's execution model.
MITRE ATT&CK® Techniques
Prompt Injection (Indirect)
Cross-Domain Prompt Injection
Memory-State Poisoning
LLM Jailbreak
Evading ML Model
Unsecured Credentials
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST AI Risk Management Framework (AI RMF) 1.0 – Map AI System and Context
Control ID: MAP-1
NIST AI Risk Management Framework (AI RMF) 1.0 – Measure AI System Trustworthiness
Control ID: MEASURE-2
NIST AI Risk Management Framework (AI RMF) 1.0 – Manage AI Risks
Control ID: MANAGE-3
ISO/IEC 42001:2023 – AI System Security
Control ID: 6.2.1
ISO/IEC 42001:2023 – Data Integrity and Quality
Control ID: 6.3.2
EU Artificial Intelligence Act – Transparency Obligations
Control ID: Article 15
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
AI browser vulnerabilities enable prompt injection attacks allowing unauthorized file access, password manager compromise, and data exfiltration through autonomous agent exploitation.
Information Technology/IT
Agentic AI browser flaws bypass traditional security boundaries, enabling attackers to manipulate AI agents for lateral movement and privilege escalation attacks.
Financial Services
AI browser hijacking poses critical risks to financial data through password manager takeover and automated exfiltration of sensitive customer information.
Computer/Network Security
Prompt injection vulnerabilities in AI browsers challenge zero trust models by enabling autonomous malicious behavior without explicit user permissions or detection.
Sources
- Researchers discover suite of agentic AI browser vulnerabilitieshttps://cyberscoop.com/agentic-ai-browsers-allow-hijacking-zenity-labs-comet/Verified
- Zenity Labs Discloses PleaseFix Vulnerability Family in Perplexity Comet and Other Agentic Browsershttps://zenity.io/company-overview/newsroom/company-news/zenity-labs-discloses-pleasefix-perplexedagent-vulnerabilityVerified
- Perplexity’s Comet AI Browser Can Be Hijacked Through Malicious Instructionshttps://beebom.com/perplexity-comet-ai-browser-hijacked-through-malicious-instructions/Verified
- Perplexity's Comet browser faced prompt injection vulnhttps://www.theregister.com/2025/08/20/perplexity_comet_browser_prompt_injection/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, potentially limiting the attacker's ability to exploit the AI browser and exfiltrate sensitive data.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to deliver malicious prompts through calendar invites could be constrained, reducing the likelihood of initial compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to gain unintended access to the local file system could be limited, reducing the scope of privilege escalation.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the system could be constrained, reducing the risk of accessing additional sensitive files.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish unauthorized external connections could be limited, reducing the risk of data exfiltration.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data could be constrained, reducing the impact of the breach.
The overall impact of the attack could be reduced, limiting the extent of data breaches and potential exploitation.
Impact at a Glance
Affected Business Functions
- User Data Management
- Authentication Services
- File System Access
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of sensitive user data, including emails, calendar events, and stored passwords, due to AI agent hijacking.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict AI browser access to sensitive resources.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic from AI browsers.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual AI browser behaviors.
- • Apply Inline IPS (Suricata) to detect and prevent malicious prompt injections targeting AI browsers.
- • Regularly update and patch AI browsers to mitigate known vulnerabilities and reduce attack surfaces.
