Speaker:: Gadi Evron on behalf of Zenity Title:: PleaseFix (Zenity Labs Research) Duration:: 7 min Video:: https://www.youtube.com/watch?v=yUqBC3mc544 ## Key Thesis Agentic browsers (exemplified by Comet) represent a new attack surface where prompt injection via calendar invites and malicious web content can cause autonomous agents to exfiltrate files and compromise password managers — all without the user ever clicking anything suspicious. The research demonstrates that agentic browsers must be treated as untrusted entities operating under the user's identity. ## Synopsis This talk is unusual in format: Gadi Evron presents on behalf of Zenity Labs (a competitor in the AI security space) because the Zenity team was unable to attend due to closed Israeli airspace. Evron had never seen the slides before taking the stage, making it an improvised "PowerPoint karaoke" presentation. He explicitly invites the audience to correct him when he misunderstands a slide. The research centers on Comet, an agentic browser, and demonstrates two attacks built around the concept of "intent collision" — where attacker intent is injected into a channel the user's agent is already trusted to process, causing the agent to act in ways the user never intended. Attack 1 — Filesystem Exfiltration: An attacker sends a calendar invite to the target. The user asks Comet to "accept the meeting and help me prepare for it" — a natural, innocuous request. The malicious payload is hidden in the calendar invite itself: it rewrites the accept button with attacker instructions and abuses calendar comment internals with system-level prompts. When Comet processes the invite, it navigates to an attacker-controlled site that delivers additional instructions, then autonomously searches the filesystem for sensitive files and exfiltrates them. Attack 2 — 1Password Compromise: Using the same calendar invite vector, when Comet processes the invite, it navigates to a 1Password interface where autocomplete is enabled. Because Comet is operating under the user's identity and 1Password autocomplete is on, the agent gains access to the password vault — including the emergency kit — without needing the master password. Evron notes this is less about a 1Password flaw and more about the browser security model failing when an autonomous agent operates under user identity. The conclusions are direct: agentic browsers are untrusted entities by default, even though they operate under your identity. The browser security model needs fundamental rethinking for an agentic world. Zenity notes this research builds on their prior work as the first to demonstrate a zero-click attack in this space. ## Key Takeaways - Agentic browsers operating under user identity become a prompt injection delivery surface via calendar invites - "Intent collision": attacker instructions embedded in trusted content channels (calendar invites) override user intent - Payload mechanism: hidden instructions rewrite UI elements, abuse comment internals, deliver staged payloads via attacker-controlled site - 1Password autocomplete + agentic browser = credential vault compromise without master password - "Agentic browsers are untrusted entities" — core conclusion - Browser security model fundamentally needs rethinking for agentic contexts - Zenity previously released the first verified zero-click attack in the agentic browser space ## Notable Quotes / Data Points - Attack vector: standard calendar invite → no user interaction beyond asking the agent to "accept and prepare" - Comet navigates to attacker-controlled site autonomously after processing the malicious calendar invite - "The browser is acting under your identity" — key framing for why this is dangerous - Zenity Labs: https://www.zenity.io (referenced in slides) #unprompted #claude