Zenity Labs has revealed a significant security concern dubbed “PleaseFix,” a series of critical vulnerabilities that impact a new breed of web interfaces known as agentic browsers, including the Perplexity Comet browser. These vulnerabilities present substantial risks by allowing malicious actors to hijack AI-driven agents, gain access to local files, and steal user credentials during authenticated sessions. Exploiting these vulnerabilities is alarmingly straightforward; attackers can integrate malicious content into routine workflows, thereby enabling damaging actions without any indication to the user.
The disclosure specifically highlights a subset of vulnerabilities labeled as “PerplexedBrowser.” This group encompasses two distinct exploit methods that arise from indirect prompt injection techniques, ultimately leading to different but equally concerning results.
In the first exploit path, the vulnerability allows for a zero-click compromise of the agent. This means that an attacker can access the local file system and exfiltrate data while the AI agent continues to return benign results to the user, further enhancing the stealth of the attack. The second exploit focuses on leveraging agent-authorized workflows to manipulate interactions with password managers. By exploiting these workflows, attackers can either steal user credentials or completely take over user accounts, all without directly compromising the password manager itself.
Agentic browsers, as a class, signify a pivotal shift in how web environments operate. Unlike traditional web browsers, which primarily serve to display content, agentic systems are designed to interpret instructions, maintain authenticated contexts, and autonomously execute actions across various applications and services. This expanded functionality, while beneficial for user efficiency, also raises alarming new security vulnerabilities.
The PleaseFix vulnerabilities lay bare how these advancements in technology can inadvertently create security risks. By extending user trust into automated workflows, sensitive data, credentials, and connected systems are exposed in ways that current browser and endpoint controls are ill-prepared to detect.
### Zenity Labs’ Findings
The researchers at Zenity Labs have shown that vulnerabilities exist that allow for autonomous operations of AI agents within authenticated browser sessions. For instance, when an AI agent is assigned a typical task, such as accepting a calendar invite, it can act without direct human oversight. This means the agent can execute a variety of tasks and access a wide range of data, tools, and workflows that the user has previously authorized.
The PleaseFix vulnerabilities can be seen as an evolution of “ClickFix,” a social engineering technique where attackers trick users into executing harmful actions. In this latest iteration, however, the tactic is applied directly to AI agents, allowing malicious actions to be instantiated without any human interaction at all.
Michael Bargury, the CTO of Zenity, commented on the matter by stating, “This represents an inherent vulnerability in agentic systems. Attackers can integrate untrusted data into AI browsers and hijack the agent itself, inheriting whatever access authority it has been granted. It’s a case of agent trust failure that places sensitive data and workflows in jeopardy in ways existing security measures simply weren’t designed to detect.”
### Details of the Exploits
#### Exploit 1
The first exploit is initiated by attacker-controlled content—such as a benign-looking calendar invite—triggering the Perplexity Comet browser to execute a task autonomously without any clicks or prompts from the user. Once an unsuspecting user requests the agent to perform a routine operational task, the agent is activated to act, effectively compromising the environment. The agent could then autonomously access the local file system, leading to unauthorized data exfiltration while still presenting expected results to the user, thereby masking the malicious activity.
#### Exploit 2
Similar to the first, the second exploit starts with content created by an attacker to manipulate agent privileges. By taking advantage of agent-authorized workflows, attackers can engage with password management tools inappropriately. This manipulation allows for the theft of stored credentials or even complete account takeover, all occurring within the scope of a legitimate, authenticated session.
Zenity Labs responsibly disclosed these vulnerabilities and the associated exploits, ensuring that Perplexity took corrective measures to address the underlying browser-side execution issues prior to the public announcement.
In a world increasingly reliant on autonomous systems, the findings from Zenity Labs should serve as a cautionary tale. As agentic browsers become more commonplace, it is critical to consider the security implications that accompany these advanced functionalities. Organizations must adapt their security measures to cope with these emerging threats, ensuring that sensitive data and user credentials remain safeguarded against sophisticated attacks that exploit the very capabilities designed to enhance productivity.