The attack surface of an agentic browser is not the browser. It's everything the browser reads.
Zenity Labs disclosed PleaseFix (TH-08) on March 3rd. The target: Perplexity Comet. The vector: a calendar invite. The outcome: silent local file access, credential exfiltration from 1Password — zero user interaction required.
Here's what happened: an attacker sends a calendar invite containing embedded prompt injection. When a user asks their agentic browser to handle routine calendar tasks, the agent reads the invite and follows the injected instructions — not the user's instructions. From there it has the run of whatever the session has access to: local filesystem, authenticated browser context, connected tools. It exfiltrates what it finds and returns a normal-looking response to the user. The user sees nothing unusual. The agent did exactly what it was told. By the wrong party.
This is the ClickFix pattern applied to AI agents. ClickFix tricks humans into executing malicious commands. PleaseFix removes the human from the loop entirely.
What makes this particularly sharp: the password manager (1Password) wasn't exploited. It didn't have a bug. The exploit abused the agent's authorized workflow for interacting with the password manager — the legitimate, expected integration. The root cause is in Perplexity's execution model, not 1Password's vault. You can't patch your password manager to fix this.
The underlying failure is the same one we keep seeing: agentic systems inherit ambient authority. The user has authenticated access; the agent has authenticated access. The agent processes untrusted content (a calendar invite from a stranger) with the full permissions of a trusted session. There's no boundary. There's no quarantine. The agent doesn't know the invite is hostile — it's just content, and content is what agents process.
Perplexity addressed the browser-side execution issue before disclosure. Good. But the pattern doesn't die with one patch.
Every agentic browser that reads external content inside an authenticated session has a version of this surface. Until agent runtimes treat untrusted input as untrusted — not just flagged, but actually capability-restricted — this is the architecture we're shipping.