- Zenity researchers discovered please fixa no-click indirect injection bug in Comet browser
- Malicious calendar invites could trick AI into extracting passwords and sensitive files without the user realizing
- Fixed bug with restrictions on access to file://, preventing agents from reading the local file system
Perplexity’s AI-powered Comet web browser is vulnerable to rapid injection indirect attacks, which threat actors can exploit to leak sensitive data such as passwords, experts warned.
Security researchers Zenity named the flaw PleaseFix and demonstrated different ways it can be abused.
In a technical blog, Zenity explained that PleaseFix was a no-click vulnerability, meaning it did not require the victim to execute a command or malicious program. All the victim has to do is go about their day as they normally would.
Zero click
At the heart of the problem is the fact that AI agents cannot distinguish between data and instructions. If the user tells the AI to read a certain set of data and act accordingly, and if that set of data contains a message of its own, the agent will execute it without alerting the victim.
In practice, as Zenity demonstrated, it works like this: a malicious actor can send a calendar invite to their target that, by all accounts, may appear authentic and benign. The calendar entry can be anything from a normal call to a job interview. If the victim adds the invitation to their calendar and then asks Comet to summarize it or help them prepare, the AI agent will execute that command, even if the calendar entry has a message of its own.
In this scenario, the calendar entry contained a message to review the victim’s files, search for documents called “passwords” or similar, and extract any information that was found. An alternative scenario shows how the same tactic can be used to leak passwords stored in a password manager.
The worst part of the attack is that the victim does not realize it. Everything happens in the background, and while the victim reads the AI-generated summary, as they would have expected, in the background the AI became a malicious insider and worked for the attacker.
Zenity said the error was fixed after responsible disclosure.
“The fix includes a new hard limit that deterministically limits the browser’s ability to autonomously access file:// paths,” the researchers explained.
“This means that while the user will still be able to access these paths, the agent will not be able to do so. No matter the message or situation, the agent will not be able to navigate or operate on URLs that begin with file:// or access the user’s local file system.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
