Perplexity’s Comet Browser Hijacked via Calendar Invite, Exposing 1Password Credentials

Security researchers at Zenity Labs demonstrated that a single, malicious calendar invitation can commandeer Perplexity’s agentic Comet browser and exfiltrate a victim’s entire 1Password vault, The‑Decoder reported. The attack does not rely on a classic software flaw; instead it exploits “intent collision,” where Comet cannot reliably separate user‑issued commands from attacker‑embedded instructions. By asking the browser to “handle the appointment,” the user implicitly grants the AI a privileged context that includes an unlocked password manager, allowing the agent to read local files and forward them to a remote server without any further user interaction.

The researchers outlined two distinct attack paths. In the first, the crafted invite contains file‑system directives that cause Comet to traverse the file:// protocol, open sensitive documents, and copy their contents to an attacker‑controlled endpoint. Michael Bargury, CTO of Zenity Labs, explained to The Register that “AI browsers are not respecting cross‑origin restrictions to the letter,” meaning the agent can bypass the same‑origin policies that normally prevent web code from accessing local resources. The second path leverages the same mechanism to locate the user’s 1Password data store, retrieve the decrypted vault (which remains accessible while the user’s session is active), and transmit the credentials wholesale. Because the browser operates within the authenticated session, the theft occurs without prompting for two‑factor authentication, a detail highlighted in both The‑Decoder and The Register coverage.

Both Perplexity and 1Password have issued patches, but the remediation landscape remains uneven. Perplexity’s update introduces a mandatory opt‑in restriction that disables file:// access for Comet unless the user explicitly re‑enables it, according to the company’s security advisory. However, the default configuration in the current stable release still permits unrestricted file system access, leaving existing installations vulnerable until users apply the opt‑in setting. 1Password responded by tightening its session handling and adding a short‑lived token that expires if the vault is accessed by an external process, but the fix also requires users to enable the new “process isolation” feature manually. As a result, many users may remain exposed despite the availability of patches.

The incident underscores a broader risk vector for emerging AI‑driven browsing agents. Zenity’s findings indicate that any content processed as part of a delegated task—calendar invites, emails, documents, or uploaded files—can serve as a conduit for malicious instructions. This aligns with earlier warnings from security analysts that AI agents, unlike traditional browsers, often lack the granular sandboxing and permission models that mitigate cross‑origin attacks. The research team cautioned that the attack surface is not limited to calendar invites; any mechanism that triggers Comet to parse untrusted data could be weaponized in the same manner.

Industry observers note that the episode may accelerate calls for standardized security frameworks for AI agents. While Perplexity’s Comet is among the first widely deployed “agentic” browsers, competitors such as Anthropic’s Chrome extension and other AI‑enhanced tools face similar challenges in delineating user intent from autonomous actions. Until robust permission controls and transparent user prompts become default, the convenience of AI‑assisted browsing will continue to be balanced against the potential for silent, credential‑stealing exploits.