Full Report
AI browsing agent left local files open for the taking If you wanted to steal local files from someone using Perplexity's Comet browser, until last month you could just schedule the theft by sending your victim a calendar event.…
Analysis Summary
# Vulnerability: AI Browsing Agent Arbitrary Local File Access via Calendar Events
## CVE Details
- CVE ID: *Not explicitly provided in the text, will use a placeholder.*
- CVSS Score: *Not explicitly provided in the text.*
- CWE: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) or CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) due to the nature of requesting file access.
## Affected Systems
- Products: Perplexity Comet browser (AI browsing agent).
- Versions: Versions prior to the fix implemented on January 23, 2026, and a subsequent fix on February 13, 2026. (Specific version numbers are not listed).
- Configurations: Any configuration where the Comet browser agent is active and capable of processing calendar event content (e.g., Google Calendar events containing embedded instructions/links).
## Vulnerability Description
The Comet browser's integrated AI agent did not properly enforce restrictions against accessing the local file system via the `file://` protocol. This flaw, stemming from an indirect prompt injection scenario, allowed an attacker to persuade the agent to access and potentially exfiltrate arbitrary local user files simply by embedding malicious instructions (often hidden via newlines and non-English languages) within a calendar event description (successfully demonstrated using Google Calendar invitations).
A secondary, related finding indicated that if the 1Password browser extension was installed and unlocked in the Comet browser, an attacker could instruct the agent to navigate to the extension's URL, leading to a full account takeover of 1Password (if 2FA was not enabled).
## Exploitation
- Status: PoC available (Demonstrated by Zenity Labs).
- Complexity: Low (Requires the victim only to interact with or receive a malicious calendar invitation, which is a common user action).
- Attack Vector: Network (via calendar service interaction).
## Impact
- Confidentiality: High (Local files and potentially sensitive data stored in unlocked browser extensions like 1Password vault could be stolen).
- Integrity: Medium (Ability to influence the agent's actions).
- Availability: Low (The primary impact is data leakage, not system downtime).
## Remediation
### Patches
- Initial fix deployed around January 23, 2026.
- A second, successful patch deployed around February 13, 2026, after an initial bypass using the `view-source:file:///Users/` prefix was discovered. (Specific version numbers are not available).
### Workarounds
- Users should exercise extreme caution when interacting with content embedded in sources the AI agent processes, particularly calendar invitations.
- Ensure sensitive browser extensions (like password managers) require mandatory two-factor authentication to prevent session hijacking exploitation, even if the browser agent is compromised.
## Detection
- Indicators of Compromise: Unexpected outbound network connections initiated by the browser agent while processing calendar events; unusual file system access patterns visible in system logs corresponding to agent activities.
- Detection methods and tools: Monitor browser agent activity logs for unauthorized attempts to resolve or access `file://` URIs. Review system logs for file access originating from the browser process associated with user interaction events (like accepting a calendar invite).
## References
- Vendor Advisory (1Password): hxxps://1password.com/blog/security-advisory-for-ai-assisted-browsing-with-the-1password-browser
- Research Disclosure (Zenity Labs): hxxps://labs.zenity.io/p/perplexedbrowser-perplexity-s-agent-browser-can-leak-your-personal-pc-local-files