Overview
- Zenity Labs reported that malicious calendar invites could indirectly prompt Perplexity’s Comet agent to browse local directories, read files, and exfiltrate data once the invite was accepted.
- A separate technique showed Comet interacting with an installed, unlocked 1Password extension to change settings or extract secrets without exploiting 1Password itself, which later issued hardening guidance.
- Zenity notified Perplexity on October 22, 2025; an initial January 23, 2026 fix was bypassed using a view-source:file:// path, before a February 13 update restricted file:// access and closed the demonstrated calendar vector.
- Researchers emphasize the flaws arise from agent execution models and trust boundaries rather than a single app bug, so prompt-injection risks remain a systemic challenge for agentic browsers.
- Evasion tactics such as burying instructions under many newlines, using non‑English text, and leveraging view-source prefixes helped bypass early guardrails, highlighting the need for stronger architectural mitigations.