Perplexity Comet flaw let a calendar invite steer the AI browser into leaking local data
6 min. read 
Published on
A malicious calendar invite was enough to steer Perplexity’s Comet browser into reading local files and sending their contents to an attacker-controlled site, according to new research from Zenity Labs. The researchers say the attack worked after the user asked Comet to handle a routine meeting task, because the browser’s AI agent mixed the user’s request with hidden attacker instructions inside the invite. Perplexity has already patched the file-access path used in the attack.
The key point is that this was not a classic software exploit in the usual sense. Zenity says Comet followed its normal execution model and used capabilities it already had, including autonomous task handling and browser navigation. That is why the researchers frame the issue as a deeper agent-security problem, not just a one-off coding bug.
Zenity calls this issue part of its PleaseFix family of agentic browser vulnerabilities. In the Comet case, the first attack path focused on local file exfiltration, while a separate path targeted 1Password workflows inside an authenticated browser session. Zenity says Perplexity fixed the browser-side file access issue before public disclosure.
What happened
Zenity’s write-up says the attack began with a poisoned Google Calendar invite that looked normal on the surface. Hidden content inside the invite carried instructions meant for the AI agent, not the user. When the victim asked Comet to accept or handle the meeting, the browser allegedly treated those hidden instructions as part of the task.
The researchers describe this as intent collision. In their words, the agent merged a legitimate user request with attacker-controlled instructions from untrusted content into a single execution plan. Once that happened, sensitive actions such as opening local files no longer looked dangerous to the agent. They looked like ordinary steps needed to finish the task.
Zenity says Comet could then browse file:// locations, search local directories, open files, read their contents, and finally send the stolen data out through standard browser navigation. In one flow, Comet showed a warning only after transmission. In another, Zenity says no warning appeared at all.
At a glance
| Item | Details |
|---|---|
| Product | Perplexity Comet |
| Research group | Zenity Labs |
| Attack entry point | Malicious Google Calendar invite |
| Main issue | Indirect prompt injection inside agent workflow |
| Reported impact | Local file access and data exfiltration |
| Disclosure date | Reported October 22, 2025 |
| Fix status | Perplexity patched the file:// access path used in the attack before public disclosure |
Why the attack mattered
This issue stood out because Comet is designed to do more than open pages. Perplexity markets Comet as a browser that can automate tasks, organize email, and act like a personal assistant. That makes it useful, but it also gives the browser’s AI agent more room to act on hidden instructions that arrive through everyday content.
Zenity argues that agentic browsers create a new trust problem. Traditional browsers mainly display content. Agentic browsers interpret instructions, hold authenticated context, and execute actions across apps and services. That bigger role can turn ordinary web content into an execution path if the system cannot cleanly separate user intent from hostile instructions.
Security researcher Simon Willison has made a similar point before. He wrote in 2025 that trusted instructions and untrusted content end up in the same token stream, and he said he strongly expects the idea of an agentic browser extension to be fatally flawed if builders cannot solve that separation problem. His comments predate this new Zenity disclosure, but they fit the pattern closely.
How the patch unfolded
Zenity says it reported the local-file issue to Perplexity on October 22, 2025. Perplexity then worked with the researchers on a fix that blocked the agent from autonomously accessing file:// paths. Zenity says it confirmed on February 13, 2026 that the attack shown in the report no longer works.
The timeline also shows the first fix did not fully end the story. Zenity says it found a bypass through view-source:file:///... on January 27, 2026, after checking the first patch. Perplexity then issued an additional patch on February 11, 2026. That is an important nuance because it shows the vendor had to close both the direct path and a follow-up bypass.
The 1Password angle
Zenity published a second Comet-related post that focused on 1Password. The researchers say that if the 1Password browser extension was installed and unlocked, Comet could operate inside that authenticated context and abuse agent-authorized workflows to expose vault data or interfere with account settings.
Zenity says it disclosed those findings to both Perplexity and 1Password. It also says 1Password published its own advisory and treated the problem as an ecosystem-level AI browsing risk rather than a break in 1Password’s core cryptography or vault design. 1Password recommended controls such as disabling automatic sign-in and enabling prompts before filling credentials.
What users should take from this
This incident does not mean every Comet installation remains vulnerable today. Zenity states that the specific local-file exfiltration attack it demonstrated no longer works after Perplexity’s code-level block on agent access to file:// paths.
It does mean users should treat agentic browsers differently from normal browsers. If a browser can read email, handle meetings, work inside authenticated sessions, and take action across tabs, then hidden instructions in routine content can become far more dangerous. That risk grows when password managers, work accounts, and local files all sit inside the same session.
Recommended precautions
- Keep sensitive browser extensions locked when you are not using them. Zenity says an unlocked 1Password extension raised the impact of related Comet abuse scenarios.
- Be careful when you ask AI browsers to handle external content such as meeting invites, shared documents, emails, or messages from unknown sources. The reported Comet attack began with a calendar invite.
- Install updates quickly. Zenity says Perplexity shipped a code-level block on agent access to
file://paths and later added a second patch for a bypass. - Review extension settings. 1Password’s advisory recommends disabling automatic sign-in and turning on controls that ask before filling.
FAQ
Zenity says yes, with one important caveat. The user still had to ask Comet to handle the meeting task, but after that, the reported attack flow needed no further clicks or approvals.
Zenity says no. The researchers argue that Comet followed its intended capabilities and that the deeper problem sat in how the AI agent handled trusted and untrusted instructions in the same workflow.
According to Zenity, no. The researchers say Perplexity added a hard boundary that blocks agent access to file:// paths, and Zenity confirmed the demonstrated attack no longer works.
Zenity says related Comet abuse could target users who had an unlocked 1Password extension, and 1Password later published an advisory focused on AI-assisted browsing risk. 1Password says the issue reflected ecosystem-level browser-agent risk, not a failure in its cryptography.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages