- Pro
- Security
Security researchers found a zero-click exploit in Perplexity AI browser
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
(Image credit: Perplexity)
- Copy link
- X
- Threads
Sign up for breaking news, reviews, opinion, top tech deals, and more.
Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.You are now subscribed
Your newsletter sign-up was successful
An account already exists for this email address, please log in. Subscribe to our newsletter- Zenity researchers uncovered PleaseFix, a zero-click indirect prompt injection flaw in Comet browser
- Malicious calendar invites could trick the AI into exfiltrating passwords and sensitive files without user awareness
- Bug patched with restrictions on file:// access, preventing agents from reading local filesystem
Perplexity’s AI-powered Comet web browser is vulnerable to indirect prompt injection attacks, which threat actors can exploit to exfiltrate sensitive data such as passwords, experts have warned.
Security researchers Zenity dubbed the flaw PleaseFix, and demonstrated different ways in which it might be abused.
In a technical blog, Zenity explained that PleaseFix was a zero-click vulnerability, meaning it did not require the victim to run a malicious command or a program. All the victim needs to do is go about their day as they would normally do.
You may like-
AI browsers are rewriting the rules. Is your security keeping pace?
-
Claude desktop extension can be hijacked to send out malware by a simple Google Calendar event
-
A Google Gemini security flaw let hackers use calendar invites to steal private data
Zero-click
At the heart of the problem is the fact that AI agents cannot distinguish between data and instruction. If the user instructs the AI to read a certain data set and act on it, and if that data set contains a prompt of its own, the agent will execute it without alerting the victim.
In practice, as Zenity showed, it works like this: A malicious actor can send a calendar invite to their target which, by all accounts can look authentic and benign. The calendar entry can be anything, from a regular call, to a job interview. If the victim adds the invite to their calendar, and later asks Comet to summarize it, or help prepare for it, the AI agent will execute that command, even if the calendar entry has a prompt of its own.
In this scenario, the calendar entry contained a prompt to scour through the victim’s files, look for documents named “passwords” or similar, and exfiltrate whatever information is found. An alternate scenario shows how the same tactic can be used to exfiltrate passwords stored in a password manager.
The worst part about the attack is that the victim is oblivious. Everything happens in the background, and while the victim reads the AI-generated summary, as they would have expected, in the background the AI turned into a malicious insider and worked for the attacker.
Are you a pro? Subscribe to our newsletterContact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.Zenity said the bug was fixed following responsible disclosure.
“The fix includes a new hard boundary deterministically limiting the browser’s ability to autonomously access file:// paths,” the researchers explained.
“This means that while the user will still be able to access these paths the agent is restricted from doing so. No matter the prompt or the situation, the agent wouldn’t be able to navigate or operate in URLs starting with file:// and access the user’s local filesystem.”
The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Sead FadilpašićSocial Links NavigationSead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
View MoreYou must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
Logout Read more
AI browsers are rewriting the rules. Is your security keeping pace?
Claude desktop extension can be hijacked to send out malware by a simple Google Calendar event
A Google Gemini security flaw let hackers use calendar invites to steal private data
Microsoft Copilot AI attack took just a single click to compromise users - here's what we know
This 'ZombieAgent' zero click vulnerability allows for silent account takeover - here's what we know
OpenAI says it's had to protect its Atlas AI browser against some serious security threats
Latest in Security
‘I can think of a couple Pretti Good reasons!’: Hacktivists may have just cracked open ICE and exposed over 6,000 companies working with the DHS
This new phishing campaign uses a fake Google Account security page to steal passcodes and more
Hackers hijack .arpa domain for phishing scams — hosting malicious websites and domains where no one can spot them
Cybercriminals are hiring women for more authentic social engineering scams — and are promising up to $1,000 per call
‘We cannot in good conscience accede to their request’: Anthropic CEO Dario Amodei draws a line in the sand in standoff with US government
Watch out - that Google Tasks email could be a scam, and land you in hot water at work
Latest in News
The third Witcher 3 DLC rumored to be a build up to The Witcher 4 will reportedly take place near the familiar location of Velen
If this cheaper Sonos speaker leak is true, it’ll be the new wireless king
Bethesda’s Xbox-exclusive Starfield may have finally received a PS5 launch date according to a reliable industry leaker
Sam Altman regrets rushed defense deal as ChatGPT uninstalls surge by 295%
AMD's new Ryzen AI 400 CPUs prioritize AI skills over GPU power
Stripe wants to help your business claim back all those AI costs
LATEST ARTICLES- 1'The attack requires no exploit, no user clicks, and no explicit request for sensitive actions': Experts say Perplexity's AI Comet browser can be hijacked to steal your passwords
- 2The third Witcher 3 DLC rumored to be a build up to The Witcher 4 will reportedly take place near the familiar location of Velen
- 3I tested the GMKtec NucBox K13 - and this AI mini PC is an excellent example of what Intel does well
- 4‘I can think of a couple Pretti Good reasons!’: Hacktivists may have just cracked open ICE and exposed over 6,000 companies working with the DHS
- 5Nintendo Indie World live: all the major Switch and Switch 2 game announcements as they happen