A calendar invite is all it took to hijack Perplexity's Comet browser and steal 1Password credentials

Security researchers demonstrate how a manipulated calendar invite can trick Perplexity's agentic Comet browser into stealing local files and taking over a full 1Password account.

Security researchers at Zenity Labs have demonstrated two attack paths that exploit Perplexity's agentic Comet browser. In both cases, all it takes is a manipulated calendar invite. The user simply asks Comet to handle the appointment - and from that moment on, the attack runs silently in the background without any further interaction.

Calendar invites are just one example vector, the researchers say. The same type of attack can be delivered through emails, documents, websites, or uploaded files. The only requirement is that Comet processes the content as part of a delegated task.

The first attack targets the local file system. Instructions embedded in the invite trick Comet into browsing directories, opening sensitive files, and sending their contents to an external server via URL parameters. To the browser, it looks like a normal page request.

The second attack goes much further: Comet navigates to the user's authenticated 1Password Web Vault, searches stored entries, exposes passwords, and sends the credentials to the attacker. In an escalated version, the agent changes the account password, extracts the email address and Secret Key, and enables a full account takeover. The researchers say their investigation was triggered by the partnership between Perplexity and 1Password announced in September 2025, which integrates the password manager directly into Comet's browser environment.

The attacks exploit how the browser works, not a traditional vulnerability

None of these attacks exploit a traditional software vulnerability. Comet operates within its intended capabilities, using the user's authenticated browser context. The researchers describe this as "Intent Collision" - the agent can't reliably distinguish between the user's intent and the attacker's instructions, so it merges both into a single execution plan.

In the 1Password case, the browser extension makes the problem worse: it stays unlocked for up to eight hours by default and automatically signs the user into the web interface. Any process running in the browser context inherits access to the password vault.

Fake buttons and Hebrew instructions help the attack slip past defenses

The attack technique is specifically tailored to Comet's internal architecture, the researchers say. They first extracted Comet's system prompt and discovered the agent uses a <system_reminder> structure internally. They then used this format in the manipulated calendar invite to give their instructions higher priority.

The visible portion of the invite contains nothing but harmless meeting details. Further down, separated by numerous blank lines from the visible area, the actual instructions appear. The researchers placed a fake button element with a Node ID there, which Comet interprets as a legitimate interactive UI element because it matches the browser's internal representation of page elements.

On top of that, the researchers deliberately used a mix of Hebrew, English, and narrative framing. The steps are presented as a story in which "Alice asks her assistant for help." According to the researchers, this combination reduces the likelihood that generic safety mechanisms flag the content as a malicious instruction.

Fixes are in place, but some still require manual configuration

Zenity Labs reported the vulnerabilities to Perplexity and 1Password in October and November 2025. Perplexity implemented a hard block that prevents Comet from accessing file:// paths at the code level. The researchers specifically praise this approach: Perplexity treats the agentic browser itself as an untrusted entity and restricts its capabilities in the source code, rather than leaving the decision to the language model.

However, Zenity found a workaround through the view-source:file:/// path after the initial patch, which forced Perplexity to ship a second fix in February 2026. Users can also block sensitive domains under comet://settings/assistant. 1Password introduced options to disable automatic sign-in and require confirmation before filling passwords. 1Password also published a security advisory.

Both companies responded constructively, according to the researchers. But while Perplexity's hard block on file system access is active by default, the protections from 1Password and Comet's domain blocking still require manual configuration by the user. Anyone who doesn't adjust these settings remains exposed. MFA would have prevented a full account takeover, but not the extraction of individual vault entries.

The researchers recommend a zero-trust approach toward agentic browsers: minimal access, maximum distrust. Prompt injection is not a solved problem, and as AI systems gain more autonomy, the attack surface keeps growing.