Zenity Labs Discloses Critical Exploits in Agentic Browsers

Zenity Labs has disclosed PleaseFix, a family of critical vulnerabilities affecting agentic browsers that could allow attackers to silently hijack AI agents, access local files, and steal credentials within authenticated user sessions. 

Inherent vulnerabilities in agentic systems

According to Zenity Labs, the vulnerabilities can be triggered through malicious content embedded in routine workflows, enabling unauthorized actions without user awareness. 

The disclosure highlights the broader security risks associated with deploying agentic solutions across software environments.

“This is not a bug. It is an inherent vulnerability in agentic systems,” said Zenity Labs co-founder and CTO Michael Bargury.

“Attackers can push untrusted data into AI browsers and hijack the agent itself, inheriting whatever access it has been granted. This is an agent trust failure that exposes data, credentials, and workflows in ways existing security controls were never designed to see.”

The disclosure includes PerplexedBrowser, a subfamily of vulnerabilities in the Perplexity Comet browser. It consists of two exploit paths, both stemming from indirect prompt-injection techniques but producing different outcomes.

The first enables zero-click agent compromise, granting access to the local file system and allowing data exfiltration while the agent continues returning expected results to the user.

The second abuses agent-authorized workflows to manipulate password manager interactions, resulting in credential theft or full account takeover — without directly exploiting the password manager itself, such as 1Password.

Below is a brief overview of each exploit:

Exploit 1: PerplexedBrowser and File System Exfiltration

Zenity Labs says the first exploit involves attacker-controlled content, such as a malicious calendar invite, that triggers autonomous execution in the Perplexity Comet browser when a user asks the agent to perform a routine task. This is a zero-click vulnerability.

Alarmingly, no additional prompts or user interaction are required. The agent autonomously accesses the local file system and exfiltrates its contents to an attacker-controlled endpoint, while still returning the expected response to the user.

Exploit 2: Credential Theft and Account Takeover via Password Managers  

The second exploit also involves PerplexedBrowser and begins with an attacker-controlled trigger. 

This allows the attacker to assume agent privileges and abuse agent-authorized workflows that provide access to password management tools, such as 1Password.

Without directly exploiting the password manager, attackers can manipulate agent task execution to steal stored credentials or even take over a user’s 1Password account. These actions occur within a legitimate, authenticated session.

According to Zenity Labs, it responsibly disclosed the PleaseFix vulnerabilities to both Perplexity and 1Password and shared findings related to downstream credential abuse with 1Password.

Perplexity addressed the underlying issue with browser-side agent execution prior to public disclosure. 

Meanwhile, 1Password confirmed that the root cause resides in Perplexity’s browser execution model rather than in its own platform.

Late last year, Zenity expanded its AI security platform with incident intelligence, agentic browser protection, and new LLM defense tools. Learn more about how these capabilities address the growing challenge of AI visibility across today’s enterprises.