'The Attack Requires No Exploit, No User Clicks, and No Explicit Request Forsensitive Actions': Experts Say Perplexity's AI Comet Browser Can Be Hijacked to Steal Your Passwords

The rapid adoption of AI‑powered browsers like Perplexity’s Comet has introduced a new attack surface where generative agents interact directly with user data. Unlike traditional web browsers, these AI layers interpret natural‑language prompts, blurring the line between content and instruction. When an attacker embeds a covert prompt in a calendar invite, the AI treats it as a legitimate request, automatically executing commands that can sweep local directories for credential files. This zero‑click vector sidesteps classic defenses that rely on user interaction or exploit mitigation, making it especially insidious for both corporate and personal environments.

Zero‑click prompt‑injection exploits exploit a fundamental design weakness: the lack of robust input sanitization for AI‑driven agents. The “PleaseFix” vulnerability demonstrates how an innocuous‑looking calendar entry can become a conduit for malicious code, prompting the AI to read file:// paths and transmit sensitive data to an external server. Because the attack occurs entirely within the AI’s processing pipeline, victims see only the expected summary output, remaining unaware that their passwords have been harvested. This scenario highlights the urgency for developers to implement strict context isolation, enforce content‑type validation, and limit autonomous file system access for AI modules.

Perplexity’s quick patch—blocking AI‑initiated file:// requests—illustrates a pragmatic mitigation path, but the broader industry must adopt systematic safeguards. Security teams should treat AI agents as privileged components, applying the principle of least privilege and continuous monitoring for anomalous behavior. Moreover, standards bodies are beginning to draft guidelines for AI‑driven interfaces, emphasizing transparent prompt handling and audit trails. As AI browsers become mainstream, organizations that proactively harden their AI stacks will gain a competitive edge in protecting intellectual property and user trust.