Researcher Uncovers ‘PleaseFix’ Vulnerabilities Impacting AI Agent Browsers
The vulnerabilities affect agentic browsers, including Perplexity Comet browser, which rely on AI agents to interpret instructions and autonomously perform tasks across applications and services.
Zenity Labs has disclosed a new family of security vulnerabilities dubbed PleaseFix, warning that flaws in emerging AI-powered “agentic browsers” could allow attackers to hijack AI agents, access local files and steal user credentials without any user interaction.
The vulnerabilities affect agentic browsers, including Perplexity Comet browser, which rely on AI agents to interpret instructions and autonomously perform tasks across applications and services.
According to the researchers, attackers can exploit malicious content embedded in everyday workflows to trigger unauthorized actions inside authenticated user sessions.
The disclosure includes a subfamily of vulnerabilities known as PerplexedBrowser, which introduces two separate exploit paths stemming from indirect prompt injection techniques.
In the first scenario, attackers can trigger a zero-click agent compromise that grants access to a user’s local file system and allows data exfiltration, while the AI agent continues to provide normal responses to the user.
A second exploit targets workflows integrated with password managers such as 1Password. By abusing agent-authorised workflows, attackers could manipulate the agent to retrieve stored credentials or potentially take over user accounts, even though the password manager itself is not directly compromised.
Zenity Labs said the vulnerabilities demonstrate how AI agents expand the traditional browser attack surface because they can autonomously execute tasks using permissions granted by users.
“This is not a bug. It is an inherent vulnerability in agentic systems,” said Michael Bargury, co-founder and CTO of Zenity. “Attackers can push untrusted data into AI browsers and hijack the agent itself, inheriting whatever access it has been granted. This is an agent trust failure that exposes data, credentials and workflows in ways existing security controls were never designed to see.”
Zenity said it responsibly disclosed the findings to affected vendors prior to publication, and mitigations have already been introduced to address parts of the issue.
Last year, Brave Software, the company behind the Brave browser, has uncovered new security flaws across AI-powered browsers, warning that “agentic browsing” — where AI tools act on behalf of users — introduces deep systemic risks.
