Breaking: New "PleaseFix" Vulnerabilities Turn AI Agents Against Their Users

Breaking: New "PleaseFix" Vulnerabilities Turn AI Agents Against Their Users*Rapid Response Analysis | March 5, 2026*A new family of critical vulnerabilities dubbed "PleaseFix" has been discovered by Zenity Labs, affecting agentic browsers including Perplexity's Comet. These vulnerabilities allow attackers to hijack AI agents, steal credentials, and access local files — all without the user's knowledge.## What HappenedYesterday, security researchers disclosed PleaseFix, a collection of vulnerabilities that exploit the expanding trust boundary of AI agents. Unlike traditional browser security issues, these attacks leverage the autonomous capabilities of AI agents to execute malicious actions within authenticated user sessions.The most alarming aspect? Zero-click exploitation. An attacker can embed malicious content in something as mundane as a calendar invite. When a user asks their AI agent to "check my calendar," the agent autonomously executes the malicious payload while returning the expected response to the user.## The Attack Vectors### Exploit 1: Silent File System Access- Trigger: Attacker-controlled calendar invite or similar content- Execution: 0-click autonomous execution via routine user request- Impact: Local file system access and data exfiltration- Detection: Agent returns expected results while silently compromising the system### Exploit 2: Password Manager Manipulation - Trigger: Agent-authorized workflow manipulation- Execution: Abuse of legitimate agent privileges - Impact: Credential theft and account takeover- Method: Exploits agent's access to password management tools without directly attacking the password manager## Why This Matters for Agent SecurityPleaseFix represents the evolution of social engineering from human targets to AI agents. This is fundamentally different from traditional security threats:1. Extended Trust Boundary: Agents operate with inherited user privileges across multiple systems2. Autonomous Execution: No human validation required for many agent actions3. Context Inheritance: Agents maintain authenticated sessions across applications4. Stealth Capability: Malicious actions occur alongside legitimate responses## Immediate Protection Steps### For Teams Running AI Agents:- Audit Agent Permissions: Review what systems and data your agents can access- Implement Agent Activity Monitoring: Log and review autonomous agent actions- Segment Agent Access: Use least-privilege principles for agent system access- Validate External Content: Scan calendar invites, documents, and other external inputs### For Developers Building Agents:- Input Sanitization: Never trust external content in agent workflows- Permission Validation: Implement explicit approval for sensitive actions- Session Isolation: Separate agent sessions from user authentication contexts- Security Testing: Include prompt injection and agent hijacking in your security testing## The ClawMoat PerspectiveThis disclosure validates what we've been warning about: AI agents are the new attack surface. Traditional security tools weren't designed to monitor autonomous AI behavior or detect when an agent has been compromised.ClawMoat specifically addresses these emerging threats by:- Monitoring agent behavior for anomalous activities- Scanning for prompt injection vulnerabilities in agent workflows - Auditing agent permissions and access patterns- Detecting when agents perform unexpected file system or network operations## What's NextPerplexity has already addressed the browser-side execution issues in Comet prior to public disclosure. However, the fundamental security model challenges remain:- How do we verify agent intent vs. malicious manipulation?- What's the right balance between agent autonomy and security controls?- How can existing security tools adapt to monitor AI agent behavior?## Bottom LinePleaseFix isn't just another vulnerability disclosure — it's a preview of the AI security landscape ahead. As agents become more capable and autonomous, the attack surface expands exponentially.The question isn't whether AI agents will be targeted by attackers, but whether organizations will implement proper security controls before or after they're compromised.For teams serious about AI agent security, now is the time to implement dedicated agent security monitoring. The era of securing agents as "just another application" is over.---Want to learn more about protecting your AI agents? ClawMoat provides security scanning specifically designed for AI agent deployments.Follow us for more breaking AI security analysis: @ClawMoat