The Perilous Power of AI: Perplexity’s Comet Browser Hijacked by a Calendar Invite

The convergence of powerful AI agents and readily available personal data presents a fascinating yet perilous landscape for cybersecurity. A recent discovery by Zenity Labs casts a stark light on these emerging risks: Perplexity’s Comet browser, a tool designed to enhance productivity through AI, has been found vulnerable to a sophisticated zero-click attack. This vulnerability, dubbed PerplexedBrowser, demonstrates how even seemingly innocuous calendar invites can be weaponized to exfiltrate sensitive user data.

Understanding the PerplexedBrowser Vulnerability

At the heart of the PerplexedBrowser attack lies a critical flaw in how Perplexity’s Comet browser’s AI agent processes and interacts with local files. Specifically, security researchers at Zenity Labs uncovered that a maliciously crafted Google Calendar invitation could trick the Comet AI agent into reading arbitrary local files on a user’s system. The attack is ingeniously simple, requiring minimal user interaction beyond a routine request for the AI agent to handle a meeting invite.

This method circumvents traditional security measures because it leverages the AI’s inherent capabilities and permissions to access files that would otherwise be protected. Once granted, even implicitly, the AI agent can be coerced into exfiltrating credentials, confidential documents, or any other sensitive data accessible to the user’s account.

The Zero-Click Attack Vector: Calendar Invite Weaponization

The “zero-click” nature of this exploit makes it particularly dangerous. Unlike phishing attacks that rely on users clicking malicious links or opening infected attachments, PerplexedBrowser is triggered by simply asking the Comet AI agent to process a weaponized calendar invite. This can happen in various scenarios, such as:

• A user forwarding a meeting invite to the Comet AI for scheduling assistance.
• The AI autonomously reviewing upcoming calendar events to provide timely reminders or context.

The malicious calendar invite likely contains specially crafted instructions or references that, when interpreted by the Comet AI, compel it to execute commands or access file paths it otherwise shouldn’t. This misdirection allows the attacker to leverage the AI’s existing permissions to read and potentially transmit sensitive data from the local machine.

Identifying the Impact and Potential for Data Exfiltration

The direct consequence of the PerplexedBrowser vulnerability is the unauthorized exfiltration of sensitive data. This could include:

• Login Credentials: Stored browser cookies, password manager data, or configuration files containing access tokens.
• Confidential Documents: Business reports, personal identifiable information (PII), intellectual property, or other sensitive files.
• System Information: Network configurations, user profiles, or other data that could aid further attacks.

Given the increasing reliance on AI-driven tools in professional and personal workflows, the scope of potential data loss is significant. Organisations utilising Perplexity’s Comet browser should immediately assess their exposure and implement mitigation strategies.

Remediation Actions and Best Practices

Addressing vulnerabilities like PerplexedBrowser requires both immediate action and a long-term strategic approach to AI security. While a specific CVE ID for PerplexedBrowser has not yet been publicly assigned at the time of this publication, the principles of remediation remain critical.

• Immediate Update: Ensure all instances of Perplexity’s Comet browser are updated to the latest available version. Vendors typically release patches promptly for critical vulnerabilities.
• Review AI Agent Permissions: Scrutinize the file system access and administrative permissions granted to AI agents and AI-driven applications. Adhere to the principle of least privilege.
• User Education: Educate users about the dangers of feeding untrusted or suspicious data, even seemingly innocuous items like calendar invites, to AI agents. Highlight the potential for these agents to be exploited.
• Network Monitoring: Enhance network monitoring to detect unusual outbound connections or data exfiltration attempts originating from systems running AI-driven browsers or applications.
• Endpoint Detection and Response (EDR): Utilize EDR solutions to monitor for suspicious file access patterns or process activity on endpoints, which could indicate a successful exploit.

Tools for Detection and Mitigation

While the PerplexedBrowser vulnerability highlights a specific browser flaw, a broader security posture can be strengthened by employing various cybersecurity tools:

Tool Name	Purpose	Link
Endpoint Detection and Response (EDR) Solutions	Detect and respond to sophisticated threats, including suspicious file access and process anomalies.	Gartner EPP MQ (for vendor comparison)
Network Intrusion Detection/Prevention Systems (NIDS/NIPS)	Monitor network traffic for malicious activity and data exfiltration attempts.	https://www.snort.org/
Security Information and Event Management (SIEM)	Aggregate and analyze security logs from various sources to identify threats and compliance issues.	https://www.splunk.com/
MFA (Multi-Factor Authentication)	Enhance credential security, making it harder for stolen credentials to be used.	NIST MFA Guidelines

Conclusion

The PerplexedBrowser vulnerability serves as a critical reminder that as AI agents become more intertwined with our digital lives, their security implications demand rigorous scrutiny. The ability to hijack a sophisticated AI browser like Perplexity’s Comet with a simple calendar invite underscores the need for robust security by design in AI development and proactive, vigilant cybersecurity practices from users and organizations alike. Staying informed, promptly applying updates, and educating users are paramount in this evolving threat landscape.