Security researchers discovered that Perplexity's Comet browser allowed attackers to steal local files and potentially access password vaults through malicious calendar invitations, highlighting critical security risks in AI browsing agents.
Until February of this year, attackers could have stolen sensitive information from users of Perplexity's Comet browser simply by sending a calendar invitation. The vulnerability, discovered by security researchers at Zenity Labs, represents a significant privacy breach that could have allowed unauthorized access to users' local files and even their 1Password vaults if not protected by two-factor authentication.
The Vulnerability Explained
In October 2025, Michael Bargury, CTO of Zenity Labs, identified two critical security flaws in Perplexity's AI browsing agent. "One problem was Perplexity didn't put a restriction on the AI agent reaching out to anything on the file system," Bargury explained. The browser could access the file:// protocol, granting it unrestricted access to files on the user's local machine.
Unlike traditional JavaScript applications, which are restricted by cross-origin policies to prevent unauthorized access to local files, AI browsers like Comet appear to bypass these fundamental security measures. This means the AI agent could be instructed to access files without user permission or notification.
The Attack Vector
The most concerning aspect of this vulnerability was how easily it could be exploited. Attackers could craft a malicious calendar event invitation that, when interacted with by the victim, would trigger the AI agent to perform unauthorized actions.
"The only thing we need is for the user to do any sort of interaction with the calendar invite or with our calendar," Bargury noted. "People normally interact with calendar invitations, so this isn't like a social engineering attack that requires convincing someone to visit a malicious site."
The researchers demonstrated this by creating a Google Calendar invitation that appeared normal at first glance, containing meeting details, times, and participants. However, after numerous newline characters to hide the malicious content, they included HTML code for a button pointing to a website with instructions in Hebrew (chosen because non-English content often bypasses AI guardrails).
Password Manager Compromise
The second vulnerability identified by Zenity researchers was even more alarming. "Once the 1Password extension is installed in the Comet browser and is unlocked, we can actually instruct Comet to go to the extension URL and then hijack your 1Password account – full takeover of your 1Password account, which is the worst thing that can happen," Bargury explained.
This attack doesn't represent a flaw in 1Password's security design, which properly prevents external attackers. Rather, it exploits the fact that the browser already has legitimate access to the password manager when it's unlocked, allowing the compromised AI agent to perform actions within that authenticated session.
The Technical Challenge: Prompt Injection
Both vulnerabilities stem from a broader, unsolved issue in AI systems known as indirect prompt injection. AI agents struggle to distinguish between legitimate system instructions and malicious content from untrusted sources.
"It's more accurate to think about this as persuasion rather than prompt injection because injection is a very technical term," Bargury said. "It's not just a technical thing – you just talk to it and you convince it that what you actually need is to do [some malicious action]."
AI browsers represent a particular security concern because they dramatically expand the attack surface. "Anything that you put out on the internet that the user interacts with is being fed into the LLM's context," Bargury explained. "And so the attack surface is massive."
Regulatory Implications
While the article doesn't specify legal action, vulnerabilities of this nature could have significant regulatory implications under data protection frameworks like the GDPR and CCPA. Organizations that fail to implement appropriate technical and organizational measures to protect personal data can face substantial fines and penalties.
Under GDPR, for example, Article 32 requires organizations to implement security measures appropriate to the risk, including encryption and pseudonymization of personal data. The failure to restrict access to local files containing potentially personal information could constitute a violation of this requirement.
Response and Remediation
According to Zenity's report, Perplexity was notified of the vulnerability on October 22, 2025. The company implemented an initial fix on January 23, 2026, which researchers quickly discovered could be bypassed using the prefix "view-source:file:///Users/".
A second, more comprehensive patch was released on February 13, 2026, which appears to have fully addressed this particular attack vector. 1Password also responded by publishing a security advisory at the end of January and implementing additional security hardening measures.
Broader Industry Concerns
This vulnerability is not an isolated incident. LayerX, another security firm, raised similar concerns about Claude Desktop Extensions being vulnerable to manipulation through calendar event entries. Bargury noted that Zenity researchers were among the first to identify calendar entries as an attack surface, presenting findings about ChatGPT Enterprise and Gemini at Black Hat conferences in August 2025.
The Future of AI Browser Security
"I think we all understand from the get-go that AI browsers are risky, but AI is risky in general and still of course we have to use AI, right?" Bargury reflected. "AI browsers have gotten a lot of scrutiny. Gartner came out with a report about them. The industry has looked at them a lot. I think what we're missing is just to show the impact."
As AI browsers become more prevalent, security researchers emphasize the need for greater awareness of their risks and the development of appropriate mitigations. Users and organizations must understand these vulnerabilities to implement proper safeguards and make informed decisions about their use of AI-powered browsing technologies.
The vulnerability in Perplexity's Comet browser serves as a stark reminder that as we embrace AI-powered tools, we must also develop robust security frameworks to protect user privacy and data integrity in this new technological landscape.
Comments
Please log in or register to join the discussion