Zenity, a provider of a platform for securing artificial intelligence (AI) applications and agents, today detailed how a zero-click attack could be launched against the Comet AI browser developed by Perplexity.

Company CTO Michael Bargury said the attack vector, dubbed PerplexedComet, enables a malicious attacker to control content in a way that can be used to trigger autonomous behavior across connected tools and workflows.

Part of a family of PleaseFix vulnerabilities found in AI browsers, PerplexedComet was used to send a benign calendar. Once the user asks Comet to accept the meeting, the rest of the flow executes without further interaction. Via an indirect prompt injection embedded in trusted calendar content, Comet is manipulated to access the local file system, browse directories, open sensitive files, and read their contents. The agent then exfiltrates the file contents to an external attacker-controlled website.

The PerplexedComet vulnerability was reported to Perplexity last October, with a stricter set of boundaries implemented in the Comet browser last month to improve cybersecurity, preventing this specific attack.

However, these types of indirect prompt injection attacks can be used to exploit a variety of AI agent execution models that create trust boundaries as tools are invoked across an integrated workflow, said Bargury.

The challenge is these types of attacks require no exploit, no user clicks, and no explicit request to compromise a workflow, he added. Instead, once an AI browser accepts the framing of the task, access to files and data are provided with detection only occurring too late to thwart or not at all, noted Bargury. For example, in one instance, the PerplexedComet vulnerability was used to access data that Comet issued a warning about after the data had already been transmitted. In another, running fully in the background, no alert was shared at all.

The only way to effectively prevent those issues is to ensure that a set of hard boundaries have been put in place that prevent AI browsers and agents from gaining access to tools and services without a specific permission being granted, he added.

Unfortunately, AI browsers and agents are being adopted faster than most cybersecurity teams can define policies. Cybersecurity teams need to review how AI browsers and agents are configured to limit certain capabilities, said Bargury. That’s critical because most end users still lack an appreciation for the potential risks that, for example, an indirect prompt injection attack that is trivial to set up actually represents, he noted.

It’s not clear if there will be several major cybersecurity incidents before organizations fully appreciate the inherent risks associated with adopting AI agents or browsers, or whether a proverbial death by thousands of cuts will eventually force a reckoning. The one thing that is certain is that with the rise of AI agents and browsers, achieving and maintaining cybersecurity is only likely to be even more challenging in an era where every resource can now be instantly accessed.