Perplexity’s Comet Browser Vulnerability: Exploiting Calendar Invites to Steal Sensitive Data
In a recent discovery by Zenity Labs, a critical vulnerability named PerplexedBrowser has been identified in Perplexity’s Comet browser. This flaw allows attackers to exploit the browser’s AI agent through seemingly innocuous Google Calendar invites, leading to unauthorized access and exfiltration of sensitive user data.
Understanding the PerplexedBrowser Vulnerability
The PerplexedBrowser vulnerability is a zero-click attack, meaning it requires minimal user interaction. An attacker sends a legitimate-looking Google Calendar invite embedded with hidden malicious instructions. When the user prompts Comet to process this invite, the browser’s AI agent inadvertently executes the concealed commands. This process, termed Intent Collision, merges the user’s genuine request with the attacker’s hidden payload, initiating unauthorized actions without the user’s knowledge.
Technical Breakdown of the Exploit
1. Delivery of Malicious Invite: The attacker crafts a Google Calendar invite containing hidden HTML elements and a `
2. Execution of Hidden Commands: Upon the user’s request to process the invite, Comet’s AI agent processes both the visible and hidden content, leading to the execution of the concealed commands.
3. Data Exfiltration: The malicious instructions direct Comet to access local files via `file://` URLs, extracting sensitive configuration files and API keys. This data is then embedded into a URL and sent to the attacker’s server, completing the exfiltration process.
Escalation with Password Managers
The severity of this vulnerability increases if the user has an unlocked 1Password browser extension. In such cases, Comet can access the password vault, extract individual entries, and even attempt to change the master password. While multi-factor authentication can prevent full account takeovers, individual secrets and API keys remain exposed.
A Pattern of Structural Vulnerabilities
The PerplexedBrowser vulnerability is not an isolated incident. Since Comet’s launch in July 2025, several significant security flaws have been identified:
– CometJacking: Utilizes URL-based prompt injection to exfiltrate memory and connected service data.
– Hidden MCP API: Exploits undisclosed MCP API to execute arbitrary commands.
– Reddit Injection: Employs hidden prompt instructions to steal emails and one-time passwords.
– UXSS: Takes advantage of extension misconfigurations to perform arbitrary browser actions.
– Safety-Check Exfiltration: Abuses AI guardrails to exfiltrate internal data.
These vulnerabilities highlight a systemic issue within agentic systems, where Large Language Models (LLMs) process both trusted user commands and untrusted web content in the same token stream, making it challenging to distinguish between them.
Industry Response and Recommendations
Zenity Labs reported the PerplexedBrowser vulnerability in October 2025. However, it took Perplexity 120 days and two separate patches to fully implement a code-level block on `file://` access. Michael Bargury, CTO of Zenity, emphasized that this is an inherent structural flaw in agentic systems, not merely a software bug. AI security expert Simon Willison echoed this concern, suggesting that the concept of an agentic browser extension might be fundamentally flawed.
Until architectural solutions are developed, users are advised to:
– Keep Password Managers Locked: Ensure that password managers are locked when not in use to prevent unauthorized access.
– Limit Agent Access: Restrict the browser’s AI agent from accessing sensitive domains and data.
– Stay Informed: Regularly update software and stay informed about potential vulnerabilities and patches.
Conclusion
The PerplexedBrowser vulnerability underscores the evolving challenges in securing AI-powered browsers. As these technologies become more integrated into daily use, it is imperative for developers and users alike to remain vigilant and proactive in addressing potential security risks.
