Agentic browsers and credential theft: are your controls keeping up?

TL;DR: Agentic browsers such as Perplexity Comet can be affected by PleaseFix and can let attackers hijack AI agents, exfiltrate local files, and steal credentials within authenticated sessions, including password manager workflows, according to Zenity Labs. The breach shows that browser-era trust assumptions break when autonomous agents inherit user access and act without human validation.

NHIMG editorial — based on content published by Zenity: Zenity Labs discloses the PleaseFix vulnerability family in Perplexity Comet and other agentic browsers

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: What breaks when an AI agent inherits a user’s browser session?

A: The session becomes the control point instead of the person.

Q: Why do agentic browsers create more risk than normal browsers?

A: They can interpret instructions and execute actions across connected tools while holding authenticated state.

Q: How should security teams govern password managers used through AI agents?

A: They should govern the workflow that requests and releases secrets, not only the vault storing them.

Practitioner guidance

• Separate agent authority from user authority Define which browser actions an agent may execute without human confirmation, and restrict local file access, password manager calls, and account recovery flows to explicit approval gates.
• Treat prompt-bearing content as an ingress point Classify calendar invites, embedded page content, and other untrusted inputs as security-relevant sources that can influence agent behaviour inside authenticated sessions.
• Constrain secret retrieval paths Move credential lookup and reuse behind policy checks that validate task context, destination, and purpose before secrets are exposed to an agent.

What's in the full article

Zenity's full research covers the operational detail this post intentionally leaves for the source:

• Step-by-step exploit paths for PerplexedBrowser across local file exfiltration and credential theft scenarios.
• Technical breakdown of how indirect prompt injection reaches agentic browser execution paths inside authenticated sessions.
• The interaction between browser-side agent execution, password managers, and downstream account takeover risk.
• Responsible disclosure context, including what was fixed before public release and what remained in scope.

👉 Read Zenity's disclosure of the PleaseFix agentic browser vulnerability family →

Agentic browsers and credential theft: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →