Perplexity: 'The attack requires no exploit, no user clicks, and no explicit request forsensitive actions': Experts say Perplexity's AI Comet browser can be hijacked to steal your passwords

Zero-Click AI Prompt Injection Flaw in Comet Browser Exposed Sensitive Data

Researchers at Zenity uncovered PleaseFix, a zero-click indirect prompt injection vulnerability in Perplexity’s AI-powered Comet browser, allowing attackers to exfiltrate passwords and sensitive files without user interaction.

The flaw stemmed from AI agents’ inability to differentiate between data and instructions. By embedding malicious prompts in seemingly benign calendar invites such as meeting requests or interview schedules attackers could trick the AI into executing hidden commands when users asked Comet to summarize or prepare for the event. In one demonstration, the AI was manipulated to scan local files for documents named "passwords" and transmit the contents to an external server. Another scenario targeted password managers, silently extracting stored credentials.

The attack required no user action beyond adding the calendar invite, making it particularly stealthy. Victims remained unaware as the AI operated in the background, turning the tool into an unwitting accomplice for data theft.

Following responsible disclosure, Perplexity patched the vulnerability by restricting the browser’s AI agents from autonomously accessing file:// paths, preventing them from reading the local filesystem. While users retain manual access to these files, the AI can no longer navigate or interact with them, regardless of prompts.

Source: https://www.techradar.com/pro/security/the-attack-requires-no-exploit-no-user-clicks-and-no-explicit-request-for-sensitive-actions-experts-say-perplexitys-ai-comet-browser-can-be-hijacked-to-steal-your-passwords

Perplexity cybersecurity rating report: https://www.rankiteo.com/company/perplexity-ai

"id": "PER1772547904",
"linkid": "perplexity-ai",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'industry': 'Technology (AI/Browser)',
                        'name': 'Perplexity',
                        'type': 'Company'}],
 'attack_vector': 'Malicious calendar invites (e.g., meeting requests, '
                  'interview schedules)',
 'data_breach': {'data_exfiltration': 'Yes (to external server)',
                 'file_types_exposed': ["Documents named 'passwords'",
                                        'Password manager credentials'],
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Passwords', 'Sensitive files']},
 'description': 'Researchers at Zenity uncovered *PleaseFix*, a zero-click '
                'indirect prompt injection vulnerability in Perplexity’s '
                'AI-powered Comet browser, allowing attackers to exfiltrate '
                'passwords and sensitive files without user interaction. The '
                'flaw stemmed from AI agents’ inability to differentiate '
                'between data and instructions. By embedding malicious prompts '
                'in seemingly benign calendar invites such as meeting requests '
                'or interview schedules, attackers could trick the AI into '
                'executing hidden commands when users asked Comet to summarize '
                'or prepare for the event. The attack required no user action '
                'beyond adding the calendar invite, making it particularly '
                'stealthy.',
 'impact': {'data_compromised': 'Passwords, sensitive files',
            'identity_theft_risk': 'High',
            'systems_affected': 'Comet browser (AI-powered)'},
 'investigation_status': 'Resolved (patched)',
 'lessons_learned': 'AI agents must differentiate between data and '
                    'instructions to prevent indirect prompt injection '
                    'attacks. Zero-click vulnerabilities require robust access '
                    'controls to mitigate stealthy exploitation.',
 'post_incident_analysis': {'corrective_actions': 'Restricted AI agents from '
                                                  'autonomously accessing '
                                                  '*file://* paths, preventing '
                                                  'filesystem navigation '
                                                  'regardless of prompts',
                            'root_causes': "AI agents' inability to "
                                           'differentiate between data and '
                                           'instructions, lack of access '
                                           'restrictions for local filesystem '
                                           'interactions'},
 'recommendations': 'Implement strict access controls for AI agents, restrict '
                    'filesystem interactions, and enhance prompt validation to '
                    'detect malicious inputs. Conduct regular security audits '
                    'for AI-powered tools.',
 'references': [{'source': 'Zenity Research'}],
 'response': {'containment_measures': 'Restricted AI agents from autonomously '
                                      'accessing *file://* paths',
              'remediation_measures': 'Patched vulnerability to prevent AI '
                                      'from reading local filesystem'},
 'title': 'Zero-Click AI Prompt Injection Flaw in Comet Browser Exposed '
          'Sensitive Data',
 'type': 'AI Prompt Injection',
 'vulnerability_exploited': 'Zero-click indirect prompt injection '
                            '(*PleaseFix*)'}