Zenity Labs has revealed PleaseFix, a series of critical vulnerabilities that impact agentic browsers, including Perplexity Comet. These vulnerabilities enable attackers to hijack AI agents, access local files, and steal credentials during authenticated user sessions. The issues can be triggered by malicious content embedded in routine workflows, allowing unauthorized actions to occur without the user's awareness.
The disclosure highlights a subfamily known as PerplexedBrowser, which consists of two distinct exploit pathways. Both pathways arise from indirect prompt injection techniques, yet they yield significantly different results.
The first exploit allows for a zero-click agent compromise that provides access to the local file system, facilitating data exfiltration while the agent presents expected results to the user. The second exploit takes advantage of agent-authorized workflows to interfere with password manager interactions, leading to credential theft or complete account takeover without directly targeting the password manager itself.
Agentic browsers represent a new computing paradigm. Unlike traditional browsers that mainly display content, agentic systems interpret instructions, maintain an authenticated context, and autonomously execute actions across various applications and services.
The PleaseFix vulnerabilities illustrate how this expanded functionality introduces new security threats by extending user trust into automated workflows. This exposes sensitive data, credentials, and connected systems in ways that existing browser and endpoint defenses were not designed to detect.
Discovery by Zenity Labs
Researchers have identified vulnerabilities that allow AI agents to operate autonomously within authenticated browser sessions. When an agent is tasked with performing routine functions, such as accepting a calendar invite, it can execute actions without human validation, inheriting access to the data, tools, and workflows that the user has authorized.
PleaseFix represents an evolution of ClickFix, a social engineering tactic where attackers deceive users into executing malicious actions. In this instance, the technique is adapted for AI agents, enabling malicious actions to be initiated without human involvement.
“This is an inherent vulnerability in agentic systems,” stated Michael Bargury, CTO of Zenity. “Attackers can inject untrusted data into AI browsers and take control of the agent itself, inheriting whatever access it has been granted. This is a failure of agent trust that exposes data, credentials, and workflows in ways existing security controls were never designed to detect.”
Exploit 1
The first exploit involves attacker-controlled content, such as a calendar invite, which triggers autonomous execution in the Perplexity Comet browser when a user requests the agent to perform a routine task, presenting a zero-click vulnerability.
No prompts or user interaction are necessary. The agent autonomously accesses the local file system and exfiltrates the contents to a location controlled by the attacker, all while still providing the expected response to the user.
Exploit 2
The second exploit also begins with an attacker-controlled trigger, allowing the attacker to assume agent privileges and manipulate workflows authorized for password management tools. Without directly exploiting the password managers, attackers can manipulate agent task execution to steal individual stored credentials or completely take over the user's account, all within a legitimate, authenticated session.
Zenity Labs has responsibly disclosed the PleaseFix vulnerabilities and their associated exploits. Notably, Perplexity addressed the underlying browser-side agent execution issue prior to the public disclosure.
