- Zenity researchers discovered PleaseFixa non-click indirect prompt injection flaw in Comet browser
- Malicious calendar invites could trick AI into exfiltrating passwords and sensitive files without the user’s knowledge.
- Bug fixed with restrictions on access to file://, preventing agents from reading the local file system
Perplexity’s AI-powered Comet web browser is vulnerable to indirect rapid injection attacks, which malicious actors can exploit to exfiltrate sensitive data such as passwords, experts have warned.
Security researchers Zenity dubbed the flaw PleaseFix and demonstrated various ways to abuse it.
In a technical blog, Zenity explained that PleaseFix was a zero-click vulnerability, meaning it did not require the victim to execute a command or malware. All the victim needs to do is go about their daily activities as they normally would.
Zero-click
At the heart of the problem is that AI agents cannot distinguish between data and instructions. If the user asks the AI to read a certain data set and act accordingly, and that data set contains its own prompt, the agent will execute it without alerting the victim.
In practice, as Zenity has shown, it works like this: a malicious actor can send a calendar invitation to their target that, by all accounts, may appear genuine and harmless. The calendar entry can be anything from a regular call to a job interview. If the victim adds the invitation to their calendar and then asks Comet to summarize it or help them prepare for it, the AI agent will execute that command, even if the calendar entry has its own prompt.
In this scenario, the calendar entry contained a prompt to browse the victim’s folders, search for documents named “passwords” or similar, and exfiltrate any information found. An alternative scenario shows how the same tactic can be used to exfiltrate passwords stored in a password manager.
The worst part of this attack is that the victim is not aware of it. Everything happens in the background, and while the victim reads the AI-generated summary, as they expected, the AI in the background transformed into a malicious insider and worked for the attacker.
Zenity said the bug was fixed following responsible disclosure.
“The fix includes a new hard limit that deterministically limits the browser’s ability to autonomously access file:// paths,” the researchers explained.
“This means that while the user will still be able to access these paths, the agent will not be able to do so. Regardless of the prompt or situation, the agent will not be able to navigate or operate in URLs starting with file:// and access the user’s local file system.”
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
