By Michael Vizard
Publication Date: 2026-03-03 14:27:00
Zenity, a provider of a platform for securing artificial intelligence (AI) applications and agents, today detailed how a zero-click attack could be launched against the Comet AI browser developed by Perplexity.
Company CTO Michael Bargury said the attack vector, dubbed PerplexedComet, enables a malicious attacker to control content in a way that can be used to trigger autonomous behavior across connected tools and workflows.
Part of a family of PleaseFix vulnerabilities found in AI browsers, PerplexedComet was used to send a benign calendar. Once the user asks Comet to accept the meeting, the rest of the flow executes without further interaction. Via an indirect prompt injection embedded in trusted calendar content, Comet is manipulated to access the local file system, browse directories, open sensitive files, and read their contents. The agent then exfiltrates the file contents to an external attacker-controlled website.
The PerplexedComet vulnerability was reported to Perplexity last October, with implementation of a harder set of boundaries in the Comet browser being implemented last month to improve cybersecurity so this specific attack no longer works.
However, these types of indirect prompt injection attacks can be used to exploit a variety of AI agent execution models that create trust boundaries as tools are invoked across an integrated workflow, said Bargury.
The challenge is these types of attacks require no exploit, no user clicks, and no explicit request to…