Perplexity’s Comet Browser Hijacked Using Calendar Invite to Exfiltrate Sensitive Data

A poisoned Google Calendar invite is all it takes to weaponize Perplexity’s Comet browser. Security researchers at Zenity Labs have discovered a critical vulnerability, dubbed PerplexedBrowser, that tricks Comet’s AI agent into reading local files and stealing credentials.

This zero-click attack requires only that the user ask the agent to handle a routine meeting invite, exposing a fundamental flaw in how agentic browsers process untrusted data.​

The exploit operates as a seamless pipeline entirely within Comet’s agent, completely hidden from the user.

It begins when an attacker sends a plausible Google Calendar invite. Below the visible meeting details, large blocks of whitespace conceal fake HTML elements and a <system_reminder> block mimicking Comet’s internal instructions.

When the user asks the browser to accept the meeting, an “Intent Collision” occurs the agent merges the user’s legitimate request with the attacker’s hidden payload.

Feature	Details
Vulnerability	PerplexedBrowser (“PleaseFix” family)
Affected Product	Perplexity Comet browser (macOS, Windows, Android)
Severity	P1 (Bugcrowd critical)
Attack Vector	Malicious instructions hidden in a Google Calendar invite
Impact	Local file exfiltration, 1Password credential theft

According to research from Awesome Agents and Zenity Labs, the injected instructions secretly force Comet to visit an attacker-controlled website in the background.

To bypass English-focused safety guardrails, this malicious site delivers secondary instructions in Hebrew.

Framing the file traversal as a game, the agent is directed to access file:// URLs, reading sensitive configuration files and API keys.

Finally, Comet embeds this stolen data into a URL and navigates to the attacker’s server, instantly exfiltrating the files.​

The attack becomes even more destructive if the user has an unlocked 1Password browser extension.

Comet can search the password vault, extract individual entries, and attempt to change the master password.

While multi-factor authentication prevents full account takeovers, individual secrets and API keys are completely exposed.

A Pattern of Structural Vulnerabilities

Vulnerability	Attack Vector	Impact
CometJacking	URL-based prompt injection	Memory and connected service data exfiltration
Hidden MCP API	Undisclosed MCP API	Arbitrary command execution
Reddit Injection	Hidden prompt instructions	Email and OTP theft
UXSS	Extension misconfiguration	Arbitrary browser actions
Safety-Check Exfiltration	Abuse of AI guardrails	Internal data exfiltration

PerplexedBrowser is the sixth major security flaw found in Comet since its July 2025 launch. Previous issues include CometJacking, a hidden MCP API enabling command execution.

Additionally, researchers identified prompt injection vulnerabilities delivered through malicious Reddit comments.

Zenity reported this latest vulnerability in October 2025. However, it took Perplexity 120 days and two separate patches to fully implement a code-level block on file:// access.​

Zenity CTO Michael Bargury emphasized that this is an inherent structural flaw in agentic systems, not just a simple software bug.

Because Large Language Models process trusted user commands and untrusted web content in the same token stream, they cannot reliably distinguish between them.

Prominent AI security expert Simon Willison echoed this concern, suggesting the entire concept of an agentic browser extension may be fatally flawed.

Until architectural fixes emerge, users are advised to keep password managers locked and strictly limit agent access to sensitive domains.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.