Notifications
Clear all
Topic starter
07/06/2026 7:54 pm
TL;DR: A zero-click flaw in Perplexity Comet can turn a routine calendar invite into local file access and silent exfiltration, exposing the limits of current agentic browser safeguards, according to Zenity Labs’ PerplexedBrowser disclosure. The trust boundary between user intent and untrusted input collapses once the browser agent can act autonomously on page content.
NHIMG editorial — based on content published by Zenity: PerplexedBrowser and the risk of handing local files to an attacker through an agentic browser
Questions worth separating out
Q: How should security teams govern agentic browsers that can act on calendar invites?
A: They should treat the browser as a privileged identity with a narrow, explicitly approved action set.
Q: What breaks when an AI browser can read local files inside a user session?
A: The normal separation between browsing activity and local data access breaks down.
Q: How do you know if agentic browser guardrails are actually working?
A: They are working only if the agent is stopped before it can open local resources or send data externally from untrusted content.
Practitioner guidance
- Block autonomous file-system access from agentic browsers Remove direct file:// reach and any equivalent local resource access from AI browsers used on managed endpoints.
- Classify calendar and collaboration content as hostile input Treat invites, embedded notes, and linked content as untrusted instructions when they are consumed by an autonomous browser.
- Separate agent sessions from high-value secrets Use isolated browser profiles, constrained device contexts, and hard boundaries around token stores, SSH material, and password exports.
What's in the full article
Zenity's full blog post covers the technical exploit detail this analysis intentionally leaves for the source:
- The step-by-step PerplexedBrowser exploit path from calendar invite to local file access and exfiltration.
- The specific browser behaviours that let attacker content redirect an autonomous agent's intent.
- Zenity's disclosure context, including the PleaseFix vulnerability family and related agentic browser subfamilies.
- The broader product and workflow implications for organisations evaluating AI browser deployments.
👉 Read Zenity's analysis of the PerplexedBrowser agentic browser vulnerability →
Agentic browser trust boundaries: are your controls keeping up?
Explore further
07/06/2026 9:39 pm
Intent recognition without hard boundaries is now a broken control premise. Agentic browsers do not just render content, they interpret it and then act. That means the old assumption that untrusted input stays separated from privileged execution no longer holds once the browser is autonomous. The implication is that security teams must stop treating content filtering as equivalent to execution control.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Another finding from the same research shows only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who is accountable when an autonomous browser exfiltrates sensitive data?
A: Accountability sits with the organisation operating the agent, because the browser was allowed to act inside a trusted user context without a strong authorization boundary. Governance teams should map responsibility across endpoint security, identity, and application owners, since the failure spans more than one control domain.
👉 Read our full editorial: PerplexedBrowser shows why agentic browsers need hard trust boundaries
