PleaseFix: 0Click Exploits Against Agentic Browsers

A weaponized calendar invite, indistinguishable from a legitimate meeting request, is delivered to the target. When the user asks the agent to accept the meeting, it reads the full event content. Hidden past a wall of blank lines are attacker instructions that redirect the agent to an attacker-controlled site, where it receives a second malicious prompt.

From there, the agent navigates the local file system, locates sensitive files, reads their contents, and delivers them to the attacker by embedding the data into a URL and navigating to it as an ordinary page load.

No traditional vulnerability was exploited. The agent did exactly what it was designed to do. Perplexity addressed this with a hard boundary blocking agent access to file:// paths. The attack no longer works

The same calendar invite delivers the payload. Hidden past a wall of blank lines are injected instructions, written in a mix of Hebrew and English to evade guardrails, directing the agent to navigate to the password manager web interface.

Because the extension is installed and unlocked by default, the agent authenticates automatically, inheriting the user's full session state. It then searches for a vault entry, reveals the masked password field, reads both the username and password, and transmits them to the attacker as an ordinary page load.

No authentication was bypassed. No vulnerability was exploited. The agent used the same interactions a user would. The credentials left the machine before the user saw any indication that anything had gone wrong.

Using the same entry vector, the attack escalates from stealing a single credential to taking over the 1Password account entirely, and with it every login, note, API key, and recovery code stored inside.

Once authenticated, the injected instructions shift the objective to account settings. The agent initiates a password change, uses the unlocked extension to autofill the current password, and sets a new attacker-controlled one. It then follows the post-change recovery flow, extracting the account email and Secret Key before closing the prompt, and transmits both to the attacker via normal browser navigation.

The agent returns benign output to the user. The delegated task appears to have completed normally. The attacker has everything needed to sign in on a new device and own the account outright.