Agentic browser content injection: are your controls keeping up?

TL;DR: Agentic browsers can be hijacked through ordinary content and expected actions, enabling file exfiltration, credential theft, and full 1Password account takeover without malware or a classic exploit, according to Zenity Labs. The deeper problem is that autonomous browsing turns untrusted content into executable input, collapsing the assumptions behind current IAM and NHI controls.

NHIMG editorial — based on content published by Zenity: PleaseFix: 0Click Exploits Against Agentic Browsers

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).
• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.

Questions worth separating out

Q: How should security teams govern agentic browsers that can read and act on web content?

A: Security teams should treat agentic browsers as delegated identity executors, not passive tools.

Q: Why do agentic browsers create more risk than normal browser automation?

A: Agentic browsers create more risk because they can interpret untrusted content, inherit live session state, and choose actions in context without a human click at every step.

Q: What breaks when an autonomous browser agent is allowed into a password manager session?

A: What breaks is the assumption that password manager access remains visible, deliberate, and reviewable.

Practitioner guidance

• Define a hard boundary between content and execution Prevent agent workflows from treating untrusted page content, calendar text, or embedded instructions as executable steps.
• Restrict authenticated session inheritance for browser agents Limit what an agent can do inside an already authenticated browser session, especially access to password managers, account settings, and file:// paths.
• Instrument agent-triggered secret exposure events Log when an agent opens a vault entry, reveals a masked secret, touches recovery flows, or changes account settings.

What's in the full article

Zenity's full research covers the operational detail this post intentionally leaves for the source:

• Step-by-step attack paths for the Perplexity Comet subfamily of PleaseFix attacks, including the exact content delivery pattern.
• Detailed behaviour of the hidden instruction blocks and how the agent was redirected between tasks.
• The precise file exfiltration, credential theft, and 1Password takeover sequences used in the demonstrations.
• Vendor-reported mitigations and boundary changes already applied to block part of the attack surface.

👉 Read Zenity’s research on PleaseFix attacks against agentic browsers →

Agentic browser content injection: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →