Calendar invite hijacks Perplexity Comet browser

A single calendar invite was enough to hijack Perplexity’s agentic Comet browser and exfiltrate credentials from a logged-in 1Password web vault, according to a demonstration by Zenity Labs reported by The Decoder. The researchers showed two paths: one that coerced Comet into reading local files and another that drove the browser to reveal stored passwords and even change the 1Password account password, turning a delegated “handle this meeting” request into full account takeover.

What makes the incident awkward for vendors is what it does not involve. Zenity did not need a memory corruption bug, a sandbox escape, or a browser zero-day. Comet behaved “as designed,” executing instructions embedded in content it was asked to process. The researchers describe the core failure as “intent collision”: the agent cannot reliably separate the user’s intent (“accept this invite”) from attacker instructions hidden inside the invite’s text, so it merges both into a single plan and carries it out using the user’s authenticated session.

That design choice moves the security perimeter. Traditional phishing tries to trick a human into clicking; agentic browsing tries to turn any parsed text into a control channel. Once an agent can read email, open files, click buttons, and log into services, social engineering stops being a one-off mistake and starts resembling remote task execution. The Comet/1Password combination illustrates the compounding effect: 1Password’s web vault is reachable through the same browser context the agent controls, and the extension can remain unlocked for hours by default, effectively lending the agent a master keyring.

Zenity’s write-up also highlights how attackers can tailor instructions to the agent’s internal grammar. By extracting Comet’s system prompt, the team found a <system_reminder> structure and then mimicked it inside the invite so the malicious instructions were treated as higher priority. They added fake UI elements that matched Comet’s internal representation of page nodes, and used mixed-language framing to reduce the chance that safeguards would flag the text as an obvious prompt injection.

Perplexity and 1Password have shipped fixes, but The Decoder notes that some mitigations are opt-in, leaving default configurations exposed. Meanwhile, the market response is already visible: TechCrunch reports that Fig Security has raised $38 million to monitor “change” across sprawling security stacks—tracking whether detections still fire after upstream tools, pipelines, or rules are modified. In practice, this is security teams buying monitoring for their monitoring, because modern defenses are now a chain of vendor products whose failure modes are introduced by routine updates.

The calendar invite is not the story’s distinctive detail so much as its banality. Any content channel that the agent is allowed to read—email, documents, websites, uploaded files—becomes a possible instruction surface once the agent is granted permission to act.

In Zenity’s demo, the attacker did not break into the machine. The attacker simply wrote text that the machine was authorised to obey.