- Zenity researchers revealed Please fixa zero-click indirect prompt injection bug in the Comet browser
- Malicious calendar invites could trick AI into wiping out passwords and sensitive files without user awareness
- Fixed bug with restrictions on file:// access preventing agents from reading the local file system
Perplexity’s AI-powered Comet web browser is vulnerable to indirect, rapid injection attacks that threat actors can exploit to exfiltrate sensitive data such as passwords, experts have warned.
Security researchers Zenity dubbed the bug PleaseFix and demonstrated various ways it can be abused.
In a technical blog, Zenity explained that PleaseFix was a zero-click vulnerability, meaning it did not require the victim to run a malicious command or program. All the victim has to do is go about their day as they normally would.
Zero clicks
At the heart of the problem is the fact that AI agents cannot distinguish between data and instruction. If the user instructs the AI to read a specific data set and act on it, and if this data set contains a prompt of its own, the agent will execute it without alerting the victim.
In practice, as Zenity demonstrated, it works like this: A malicious actor can send a calendar invite to their target that, by all accounts, can look authentic and benign. The calendar entry can be anything from an ordinary call to a job interview. If the victim adds the invitation to their calendar and later asks Comet to summarize it or help prepare it, the AI agent will execute that command, even though the calendar entry has its own prompt.
In this scenario, the calendar entry included a call to search the victim’s files, look for documents named “passwords” or similar, and exfiltrate any information found. An alternative scenario shows how the same tactic can be used to exfiltrate passwords stored in a password manager.
The worst part of the attack is that the victim is unaware. Everything happens in the background, and while the victim reads the AI-generated summary as they would have expected, the background AI became a malicious insider working for the attacker.
Zenity said the bug was fixed after responsible disclosure.
“The directive includes a new hard limit that deterministically limits the browser’s ability to autonomously access file:// paths,” the researchers explained.
“This means that while the user will still be able to access these paths, the agent is restricted from doing so. Regardless of the prompt or situation, the agent would not be able to navigate or operate on URLs starting with file:// and access the user’s local file system.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
