Perplexity Comet Browser Vulnerability: Calendar Invites Could Exfiltrate Local User Files

A critical security vulnerability existed in Perplexity's Comet AI browsing agent that allowed attackers to steal local files from users simply by sending them a malicious calendar invite. The flaw, which was present until last month, exploited the browser's handling of certain protocols or file access permissions linked to calendar events. By crafting a specific invite, an attacker could potentially trigger the browser to access and exfiltrate sensitive documents, downloads, or other data stored locally on the victim's machine without their knowledge. This represents a significant breach of the browser's security sandbox, as a core function of a browsing agent is to isolate web activity from the local system. The vulnerability highlights the expanded attack surface introduced by AI-powered agents that interact more deeply with system functions and user data. While the issue has reportedly been patched, the incident underscores the potential risks of new AI-integrated software that may not have undergone rigorous security testing for unconventional attack vectors like calendar integration.