Overview
- Zenity Labs reported a suite of flaws in agentic AI browsers, including Perplexity’s Comet, that let malicious calendar entries trigger autonomous actions such as accessing local files and exfiltrating data.
- Researchers also showed Comet could be steered to a 1Password extension page to seize a user’s vault if the extension was installed and unlocked, prompting 1Password to publish an advisory and add hardening options in late January.
- Zenity disclosed the issues to Perplexity on October 22, 2025; a January 23, 2026 fix was bypassed, and a February 13, 2026 patch closed the reported calendar-based vector.
- Exploitation relied on indirect prompt injection through routine content rather than malware, with the agent interpreting attacker-supplied text as legitimate user intent inside authenticated sessions.
- Researchers emphasize the root cause is the agent trust model, and other firms have flagged similar weaknesses in agentic implementations, indicating the risk extends beyond a single product.