StAJect0r

Zero-click local file exfiltration via an agentic browser is real. ⚠️ Zenity Labs shows a calendar invite can steer Perplexity Comet into browsing file:// paths, reading sensitive files, and exfiltrating via normal navigation. Fix now blocks agent file:// access. ✅ 🔗 https://t.co/C3oPsc7QrI #AISecurity #AgentSecurity #LLMSecurity

0/14 We hijacked Perplexity's agentic browser Comet to leak files from your PC and take over your 1Password account. 🚨 Two technical writeups. Two attacks. One family of critical vulnerabilities dubbed PleaseFix we identified at Zenity across agentic browsers from multiple vendors. Here's how it works and why it matters.

13/14 The bigger picture: agentic browsers interpret AND execute. They sit inside your authenticated sessions, your extensions, your file system. The blast radius of a single prompt injection is no longer a chatbot saying something weird. It's your files. Your credentials. Your accounts. That is a fundamentally different threat.

11/14 To our knowledge, this is the first public end-to-end attack against an agentic browser resulting in local file exfiltration and password manager account takeover. And a calendar invite is just one entry point. This can come from ANYWHERE on the internet. Any content the agent reads can become the attack vector.

10/14 But we didn't stop there. We escalated to full account takeover. Same calendar invite. This time the injected instructions guided Comet to navigate to account settings, change the password to one we control, and extract the Secret Key and email from the Emergency Kit flow. The user got "task complete." We got the vault. 💀