Calendar invite hijacks Perplexity Comet agent

A calendar invite was enough to steer Perplexity’s Comet “agentic” browser into stealing sensitive data, including credentials from a logged-in 1Password Web Vault, according to security researchers at Zenity Labs. The researchers demonstrated two paths: one in which Comet was tricked into browsing local directories and exfiltrating file contents, and another that escalated into full 1Password account takeover by extracting the user’s Secret Key and changing the account password. The Decoder reports that neither attack relied on a conventional browser bug.

What failed was the design assumption behind delegated browsing: Comet is built to read content and then act inside the user’s authenticated session, but it struggles to separate a user’s instruction (“handle this appointment”) from hidden instructions embedded in the content it is asked to process. Zenity calls the problem “intent collision”: the model merges attacker text and user intent into a single plan, then executes it using the same browser context that has access to cookies, open tabs, and extensions.

The calendar invite is a convenient delivery vehicle because it can contain long, hidden sections of text. In Zenity’s demo, harmless meeting details appeared at the top, while the attack payload was placed far below, separated by blank lines. The researchers also tailored the payload to Comet’s internal structure after extracting its system prompt, and used fake UI elements with “Node IDs” that matched Comet’s representation of clickable page elements. The result is that Comet treats attacker-provided markup as if it were part of the browser’s own interface.

The 1Password angle is less about cryptography than about session inheritance. The partnership between Perplexity and 1Password integrates the password manager into Comet’s environment, and the extension can remain unlocked for hours by default, while also auto-signing users into the web vault. Once Comet is induced to navigate there, it can search entries and reveal passwords as part of an apparently legitimate task, then transmit them out via ordinary web requests—such as embedding data in URL parameters—without tripping a classic exploit chain.

Both companies have shipped fixes, The Decoder reports, but some protections are optional and depend on user configuration. That leaves a familiar gap: the product’s default posture prioritises convenience and “hands-off” automation, while the security model assumes the agent will reliably interpret context and refuse malicious instructions.

The concrete lesson from Zenity’s work is that “guardrails” are not a control plane. If an agent is allowed to read arbitrary untrusted text and also has permission to click, copy, and submit data inside an authenticated session, then the hard part is not detection—it is limiting what the agent can do in the first place. Capability sandboxing, deterministic allowlists for high-risk actions, and tamper-evident audit logs are the unglamorous features that decide whether an assistant is a tool or a privileged insider waiting to be socially engineered.

In Zenity’s demo, the attacker did not need remote code execution, a browser zero-day, or access to the victim’s machine—only a calendar invite the user asked their agent to handle.