%20(1)%20(1).webp?w=1024&resize=1024,1024&ssl=1 "Perplexity AI Comet Browser Hijacked via Calendar Invite to Exfiltrate Sensitive Data")
By AnuPriya
Publication Date: 2026-03-04 12:41:00
Security researchers at Zenity Labs uncovered a critical vulnerability in Perplexity’s Comet “agentic” browser, enabling attackers to steal sensitive local files through a weaponized Google Calendar invite.
Dubbed “PerplexedBrowser” and part of Zenity’s “PleaseFix” family, the flaw affected Comet on macOS, Windows, and Android.
Rated P1 (critical) on Bugcrowd, it exploited the AI agent’s handling of invites without extra user clicks beyond a simple “accept this meeting” request.
The attack hinged on “intent collision,” where Comet’s AI blended user queries with hidden malicious instructions in the invite.
Once processed, the agent accessed attacker-controlled sites, read files via file:// paths, and exfiltrated data by embedding contents in URL query parameters to external servers. Credits go to researchers Stav Cohen and Michael Bargury, as noted by Awesomeagents AI.
Zenity disclosed the bug on October 22, 2025. Perplexity issued an initial fix on January 23, 2026, blocking direct file:// access, but researchers bypassed it using view-source:file:///.
A final patch arrived on February 11, confirmed effective by February 13 after a 120-day process.
| Timeline Milestone | Date | Details |
|---|---|---|
| Disclosure | Oct 22, 2025 | Zenity reports to Perplexity |
| Initial Fix | Jan 23, 2026 | Blocks file:// at code level (bypassed) |
| Final Patch | Feb 11, 2026 | Full remediation confirmed Feb 13 |
Attack Chain and Exfiltration Tactics
The chain began with a…