Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Agentic browsers and credential theft: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Agentic browsers such as Perplexity Comet can be affected by PleaseFix and can let attackers hijack AI agents, exfiltrate local files, and steal credentials within authenticated sessions, including password manager workflows, according to Zenity Labs. The breach shows that browser-era trust assumptions break when autonomous agents inherit user access and act without human validation.

NHIMG editorial — based on content published by Zenity: Zenity Labs discloses the PleaseFix vulnerability family in Perplexity Comet and other agentic browsers

By the numbers:

Questions worth separating out

Q: What breaks when an AI agent inherits a user’s browser session?

A: The session becomes the control point instead of the person.

Q: Why do agentic browsers create more risk than normal browsers?

A: They can interpret instructions and execute actions across connected tools while holding authenticated state.

Q: How should security teams govern password managers used through AI agents?

A: They should govern the workflow that requests and releases secrets, not only the vault storing them.

Practitioner guidance

  • Separate agent authority from user authority Define which browser actions an agent may execute without human confirmation, and restrict local file access, password manager calls, and account recovery flows to explicit approval gates.
  • Treat prompt-bearing content as an ingress point Classify calendar invites, embedded page content, and other untrusted inputs as security-relevant sources that can influence agent behaviour inside authenticated sessions.
  • Constrain secret retrieval paths Move credential lookup and reuse behind policy checks that validate task context, destination, and purpose before secrets are exposed to an agent.

What's in the full article

Zenity's full research covers the operational detail this post intentionally leaves for the source:

  • Step-by-step exploit paths for PerplexedBrowser across local file exfiltration and credential theft scenarios.
  • Technical breakdown of how indirect prompt injection reaches agentic browser execution paths inside authenticated sessions.
  • The interaction between browser-side agent execution, password managers, and downstream account takeover risk.
  • Responsible disclosure context, including what was fixed before public release and what remained in scope.

👉 Read Zenity's disclosure of the PleaseFix agentic browser vulnerability family →

Agentic browsers and credential theft: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Agentic browser trust fails because the session, not the user, becomes the exploitation surface. The article shows that once an AI agent inherits authenticated browser context, malicious content can steer actions without a fresh trust decision from the human. That breaks the assumption that user presence equals user control. Practitioners should treat the browser session as an identity boundary with its own governance requirements.

A few things that frame the scale:

  • 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: Who is accountable when an agentic browser exposes files or credentials?

A: Accountability sits with the teams that approved the delegated workflow, the owner of the agent identity, and the security function that defined its access boundaries. If the session can act without human validation, then authentication alone is not enough to prove proper governance.

👉 Read our full editorial: Agentic browser trust failures expose a new credential theft path



   
ReplyQuote
Share: