Perplexity’s Comet Browser Breached Through Calendar Invite Attack
Security researchers at Zenity Labs disclosed a critical flaw in Perplexity’s Comet “agentic” browser that allowed attackers to steal local files using a malicious Google Calendar invite.
The issue, dubbed Perplexed Browser and grouped under Zenity’s “PleaseFix” family, affected Comet on macOS, Windows, and Android and was rated P1 (critical) in Bugcrowd.
The attack required no extra user clicks beyond a normal request such as “accept this meeting.”
Once the victim asked Comet’s AI agent to handle the invite, the agent could be manipulated into opening attacker-controlled content, reading files via file:// paths, and exfiltrating data by embedding file contents into URL query parameters sent to an external server.
According to Awesomeagents AI, Zenity credits the research to Stav Cohen and Michael Bargury.
How the attack worked
Zenity’s chain starts with a calendar invite that looks legitimate, realistic names, roles, and meeting details.
The trick sits in whitespace: large blank sections hide instructions a user is unlikely to notice when previewing the invite.
Those hidden instructions include fake HTML elements and a block formatted to resemble internal “system reminder” guidance.
When Comet’s agent processes the invite, it blends the attacker’s hidden text with the user’s request, a failure mode Zenity calls “intent collision,” where the model can’t reliably separate trusted intent from untrusted content.
Next, the injected instructions push Comet to an attacker website, including cues intended to run actions in the background so the victim sees little or no visible browsing.
That site delivers a second-stage prompt, reportedly written in Hebrew to reduce the effectiveness of English-focused safety checks.
The prompt then reframes file access as a harmless discovery task, guiding the agent to traverse local directories and open sensitive files (configuration data, API keys, and stored credentials) through
file://
file:// URLs.
Finally, the agent sends the stolen content out by constructing a URL that carries the data in parameters and navigating to the attacker’s server, an exfiltration pattern that can bypass casual inspection.
Zenity reported the bug on Oct. 22, 2025. Perplexity shipped an initial fix on Jan. 23, 2026 that blocked agent access to file:// at the code level, but Zenity bypassed it with a view-source:file:/// trick.
A second patch shipped Feb. 11, with remediation confirmed Feb. 13, ending a 120-day disclosure process.
A more damaging variant involved 1Password: if the browser extension was installed and unlocked, the agent could potentially expose vault entries and assist in takeover steps. However, MFA could still limit full account compromise.
The broader takeaway is structural: any AI agent that reads untrusted content while holding powerful local or account permissions becomes a high-value target.