kicking off the 3rd @zenitysec agent security summit at sf!

excited to speak about our agent detonation chamber this summer at #BHUSA! how do you 'scan' txt for 'security badness'? not w wishful analysis by an llm judge what we really want is: what will this thing cause my agent to *DO*? ft/ francesco montorsi @lana__salameh @roeybc

from a security perspective agentic browsers are a very bad idea but who cares about security we've got ai now i'm excited to be able to demo just how bad things get on stage at #BHUSA! incredible work by @StAJect0r @supriza0 @p1njc70r @tamirishaysh

i'm stoked to announce our lineup for the agent security summit sf 2026! to celebrate we few more open tickets you can grab now w keynotes from the amazing @gadievron @travismcpeak @NahamSec @jimreavis

For likely the first time ever, security researchers have shown how AI can be hacked to create real world havoc, allowing them to turn off lights, open smart shutters, and more. wired.com/story/google-gemin…

Come for the meme, stay for the post.😁

Zero-click local file exfiltration via an agentic browser is real. ⚠️ Zenity Labs shows a calendar invite can steer Perplexity Comet into browsing file:// paths, reading sensitive files, and exfiltrating via normal navigation. Fix now blocks agent file:// access. ✅ 🔗 eu1.hubs.ly/H0sqY3N0 #AISecurity #AgentSecurity #LLMSecurity

13/14 The bigger picture: agentic browsers interpret AND execute. They sit inside your authenticated sessions, your extensions, your file system. The blast radius of a single prompt injection is no longer a chatbot saying something weird. It's your files. Your credentials. Your accounts. That is a fundamentally different threat.

12/14 Both vulnerabilities were responsibly disclosed. Perplexity shipped fixes, including a hard boundary blocking file:// access and enterprise guardrails for sensitive sites. 1Password published a security advisory and introduced hardening options.

11/14 To our knowledge, this is the first public end-to-end attack against an agentic browser resulting in local file exfiltration and password manager account takeover. And a calendar invite is just one entry point. This can come from ANYWHERE on the internet. Any content the agent reads can become the attack vector.

10/14 But we didn't stop there. We escalated to full account takeover. Same calendar invite. This time the injected instructions guided Comet to navigate to account settings, change the password to one we control, and extract the Secret Key and email from the Emergency Kit flow. The user got "task complete." We got the vault. 💀

9/14 Once inside, the agent was steered to search the vault, open an entry, reveal the password field, and extract both username and password. Then it navigated to our endpoint with those values in the URL. Credential exfiltration. Through normal browser navigation.

8/14 Attack 2: 1Password Account Takeover Same entry vector. But this time the target wasn't the file system. It was the user's 1Password vault. Comet can be integrated with a 1Password extension. If the extension is unlocked (default: up to 8 hours), Comet can auto-logs into the 1Password web app. Just a regular user would.

7/14 When the user asked Comet to "accept the meeting," the agent consumed the full description. It followed the fake button to our site. From there, it was guided to navigate the local file system, locate a sensitive file, open it, read its contents, and exfiltrate them via URL parameters to our server. All in the background.

6/14 The payload used a mix of techniques chained together. A fake HTML button element matching Comet's internal node structure. A system_reminder block reusing Comet's own prompt format. Hebrew instructions to slip past English-language guardrails. And a redirect to an attacker-controlled site where more instructions are hosted.

5/14 Attack 1: Local File Exfiltration We sent the victim a normal-looking calendar invite. Legit title, real agenda, names, times. But buried in the description, hidden below many blank lines where no human would scroll, we placed our payload.

4/14 That interpretation is the attack surface. If an attacker can shape what the agent believes the user asked for, the agent will execute on the attacker's behalf. No exploit needed. No malware. The agent uses its own capabilities against the user. We call this technique intent collision.

3/14 An agentic browser has the same access as a normal browser. It can read your local file system via file://. It can interact with senstive webpages. It operates inside your authenticated sessions. The difference? Actions are no longer triggered by your clicks. They're triggered by the agent's interpretation of your request.

2/14 First, some context. Perplexity recently shipped Comet, an agentic browser. It doesn't just show you web pages. It reads, clicks, navigates, and acts on your behalf inside a real browser session. That's powerful. It also raises a simple question: who exactly is it acting for?