Zenity Labs disclosed PleaseFix, a family of critical vulnerabilities affecting agentic browsers, including Perplexity Comet, that allow attackers to hijack AI agents, access local files, and steal credentials within authenticated user sessions. The vulnerabilities can be triggered through malicious content embedded in routine workflows, enabling unauthorized actions without user awareness.

The disclosure includes PerplexedBrowser, a subfamily of vulnerabilities in the Perplexity Comet browser that consists of two distinct exploit paths. Both stem from indirect prompt injection techniques but produce materially different outcomes.

The first enables zero-click agent compromise that grants access to the local file system and allows data exfiltration while the agent continues returning expected results to the user. The second abuses agent-authorized workflows to manipulate password manager interactions, resulting in credential theft or full account takeover without directly exploiting the password manager itself.

Agentic browsers represent a new computing model. Unlike traditional browsers that primarily display content, agentic systems interpret instructions, retain authenticated context and autonomously execute actions across applications and services.

PleaseFix demonstrates how this expanded capability introduces new security risks by extending user trust into automated workflows, exposing sensitive data, credentials and connected systems in ways existing browser and endpoint controls were not designed to detect.

Zenity Labs’ discovery

Researchers identified vulnerabilities that allow AI agents to operate autonomously within authenticated browser sessions. When an agent is asked to perform a routine task such as accepting a calendar invite, it can execute actions without human validation and inherit access to data, tools, and workflows the user has authorized.

PleaseFix represents the evolution of ClickFix, a social engineering technique in which attackers trick users into executing malicious actions. In this case, the technique is applied to AI agents, allowing malicious actions to be triggered without human involvement.

“This is an inherent vulnerability in agentic systems,” said Michael Bargury, CTO of Zenity. “Attackers can push untrusted data into AI browsers and hijack the agent itself, inheriting whatever access it has been granted. This is an agent trust failure that exposes data, credentials and workflows in ways existing security controls were never designed to see.”

Exploit 1

In the first exploit, attacker-controlled content, such as a calendar invite, triggers autonomous execution in the Perplexity Comet browser when a user asks the agent to perform a routine task (a 0-click vulnerability).

No prompts or user interaction are required. The agent autonomously accesses the local file system and exfiltrates the contents to an attacker-controlled endpoint, while still returning the expected response to the user.

Exploit 2

The second exploit also begins with an attacker-controlled trigger, allowing the attacker to assume agent privileges and abuse agent-authorized workflows that allow access to password management tools. Without exploiting password managers directly, attackers can manipulate agent task execution to steal individual stored credentials or take over the user’s account. These actions occur within a legitimate, authenticated session.

Zenity Labs responsibly disclosed the PleaseFix vulnerability and exploits. Perplexity addressed the underlying browser-side agent execution issue prior to public disclosure.

