A newly discovered vulnerability in Perplexity’s Comet browser poses serious security risks, according to findings from Zenity Labs. Dubbed ‘PerplexedBrowser’, this flaw enables attackers to exploit Comet’s AI agent by using a seemingly harmless Google Calendar invite to exfiltrate sensitive data.
Understanding the Exploit
This zero-click vulnerability manipulates Comet’s handling of meeting invites. When users prompt the browser to manage an invite, the attack seamlessly blends malicious content with legitimate requests. The concealed payload, hidden under whitespace in the invite, tricks the browser into executing unauthorized commands.
The attack initiates when an attacker sends a realistic Google Calendar invite. Hidden within the invite are fake HTML elements that mimic Comet’s internal instructions. Upon acceptance, these elements merge with the user’s action, triggering a sequence of harmful operations.
Implications for Users
The impact of this exploit is significant. By coercing Comet to visit an attacker-controlled site, secondary instructions, cleverly disguised in Hebrew, bypass English-centric security protocols. This results in unauthorized access to local files and sensitive API keys.
Moreover, if a user has an active 1Password extension, the browser can access and potentially alter stored credentials. Although multi-factor authentication offers some protection, individual data still faces exposure.
Ongoing Security Concerns
This incident marks the sixth major security issue for Comet since its debut in July 2025. Previous vulnerabilities, such as CometJacking and prompt injection attacks, highlight ongoing structural weaknesses.
Zenity Labs reported this vulnerability in October 2025. Despite efforts, it took Perplexity four months to implement a full fix. Experts like Zenity CTO Michael Bargury and AI security authority Simon Willison warn that these issues stem from inherent flaws in agentic systems, making them challenging to resolve.
To mitigate risks, users are advised to maintain tight security on password managers and restrict agent access to sensitive areas. For continuous updates, follow us on Google News, LinkedIn, and X, and contact us to share your cybersecurity stories.
