TL;DR: Agentic browsers such as Perplexity Comet can be affected by PleaseFix and can let attackers hijack AI agents, exfiltrate local files, and steal credentials within authenticated sessions, including password manager workflows, according to Zenity Labs. The breach shows that browser-era trust assumptions break when autonomous agents inherit user access and act without human validation.
NHIMG editorial — based on content published by Zenity: Zenity Labs discloses the PleaseFix vulnerability family in Perplexity Comet and other agentic browsers
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: What breaks when an AI agent inherits a user’s browser session?
A: The session becomes the control point instead of the person.
Q: Why do agentic browsers create more risk than normal browsers?
A: They can interpret instructions and execute actions across connected tools while holding authenticated state.
Q: How should security teams govern password managers used through AI agents?
A: They should govern the workflow that requests and releases secrets, not only the vault storing them.
Practitioner guidance
- Separate agent authority from user authority Define which browser actions an agent may execute without human confirmation, and restrict local file access, password manager calls, and account recovery flows to explicit approval gates.
- Treat prompt-bearing content as an ingress point Classify calendar invites, embedded page content, and other untrusted inputs as security-relevant sources that can influence agent behaviour inside authenticated sessions.
- Constrain secret retrieval paths Move credential lookup and reuse behind policy checks that validate task context, destination, and purpose before secrets are exposed to an agent.
What's in the full article
Zenity's full research covers the operational detail this post intentionally leaves for the source:
- Step-by-step exploit paths for PerplexedBrowser across local file exfiltration and credential theft scenarios.
- Technical breakdown of how indirect prompt injection reaches agentic browser execution paths inside authenticated sessions.
- The interaction between browser-side agent execution, password managers, and downstream account takeover risk.
- Responsible disclosure context, including what was fixed before public release and what remained in scope.
👉 Read Zenity's disclosure of the PleaseFix agentic browser vulnerability family →
Agentic browsers and credential theft: are your controls keeping up?
Explore further
Agentic browser trust fails because the session, not the user, becomes the exploitation surface. The article shows that once an AI agent inherits authenticated browser context, malicious content can steer actions without a fresh trust decision from the human. That breaks the assumption that user presence equals user control. Practitioners should treat the browser session as an identity boundary with its own governance requirements.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who is accountable when an agentic browser exposes files or credentials?
A: Accountability sits with the teams that approved the delegated workflow, the owner of the agent identity, and the security function that defined its access boundaries. If the session can act without human validation, then authentication alone is not enough to prove proper governance.
👉 Read our full editorial: Agentic browser trust failures expose a new credential theft path