TL;DR: Agentic browsers can be hijacked through ordinary content and expected actions, enabling file exfiltration, credential theft, and full 1Password account takeover without malware or a classic exploit, according to Zenity Labs. The deeper problem is that autonomous browsing turns untrusted content into executable input, collapsing the assumptions behind current IAM and NHI controls.
NHIMG editorial — based on content published by Zenity: PleaseFix: 0Click Exploits Against Agentic Browsers
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
Questions worth separating out
Q: How should security teams govern agentic browsers that can read and act on web content?
A: Security teams should treat agentic browsers as delegated identity executors, not passive tools.
Q: Why do agentic browsers create more risk than normal browser automation?
A: Agentic browsers create more risk because they can interpret untrusted content, inherit live session state, and choose actions in context without a human click at every step.
Q: What breaks when an autonomous browser agent is allowed into a password manager session?
A: What breaks is the assumption that password manager access remains visible, deliberate, and reviewable.
Practitioner guidance
- Define a hard boundary between content and execution Prevent agent workflows from treating untrusted page content, calendar text, or embedded instructions as executable steps.
- Restrict authenticated session inheritance for browser agents Limit what an agent can do inside an already authenticated browser session, especially access to password managers, account settings, and file:// paths.
- Instrument agent-triggered secret exposure events Log when an agent opens a vault entry, reveals a masked secret, touches recovery flows, or changes account settings.
What's in the full article
Zenity's full research covers the operational detail this post intentionally leaves for the source:
- Step-by-step attack paths for the Perplexity Comet subfamily of PleaseFix attacks, including the exact content delivery pattern.
- Detailed behaviour of the hidden instruction blocks and how the agent was redirected between tasks.
- The precise file exfiltration, credential theft, and 1Password takeover sequences used in the demonstrations.
- Vendor-reported mitigations and boundary changes already applied to block part of the attack surface.
👉 Read Zenity’s research on PleaseFix attacks against agentic browsers →
Agentic browser content injection: are your controls keeping up?
Explore further
Content injection is the new trust boundary failure for agentic browsers. The agent does not need a bug in the browser to be compromised. It only needs untrusted content to be accepted as part of the task context, which collapses the separation between reading and executing. The practical conclusion is that browser governance now has to treat content provenance as part of identity and access control, not as a separate web security concern.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who should be accountable when a browser agent exposes files or credentials?
A: Accountability should sit with the team that governs the delegated session, the identity permissions behind it, and the systems that allowed secret exposure or recovery changes. If an organisation lets an agent act inside a human session, then access review, PAM, and browser governance all share responsibility for the resulting blast radius.
👉 Read our full editorial: Agentic browser attacks expose a new content injection risk