Hijacking Perplexity’s Comet Browser via Calendar Invite: A Pathway to Credential Theft

Security researchers have uncovered a critical vulnerability in Perplexity’s Comet browser, demonstrating how a seemingly innocuous calendar invitation could enable attackers to seize control of the application and extract sensitive credentials from 1Password. This flaw, identified by experts from NCC Group, exploits weaknesses in the browser’s handling of iCalendar (.ics) files, ultimately leading to remote code execution (RCE). The discovery underscores persistent risks in Electron-based applications, even those enhanced with artificial intelligence features.

Perplexity’s Comet browser positions itself as an AI-driven tool designed to streamline web browsing through integrated AI capabilities. Built on Electron, a framework that packages web technologies into desktop applications using Chromium and Node.js, Comet promises seamless integration with productivity tools like calendars and password managers. However, this integration proved to be a double-edged sword. The vulnerability chain begins when a user accepts a malicious calendar invite, a common vector in phishing campaigns due to its low suspicion factor.

The Exploit Chain Unraveled

The attack sequence hinges on multiple misconfigurations and insecure defaults in Comet’s architecture. Upon receiving a .ics file attachment via email or other channels, Comet automatically processes the invite without sufficient validation. Specifically, the browser employs the icalendar Node.js library to parse these files. While this library is robust for legitimate use, it supports the X-WR-CALATTACH property, which allows embedding attachments directly within the calendar data.

Attackers craft a specially prepared .ics file that includes an X-WR-CALATTACH field pointing to a remote URL hosting a malicious payload, typically an HTML file masquerading as an image or document. When Comet parses the invite and the user accepts it, the browser downloads this payload to a predictable local directory, such as the user’s temporary files folder. Crucially, Comet’s implementation fails to enforce content-type verification or sandboxing during this download process.

Once downloaded, the payload leverages another Electron-specific weakness: the browser’s preload scripts and renderer processes. Comet uses Electron’s webContents.executeJavaScript API in an unsafe manner within its calendar handler. This API, intended for injecting JavaScript into web views, executes without proper context isolation when triggered by the parsed calendar data. The malicious HTML file, now local, contains a script that calls Node.js APIs directly, bypassing Chromium’s renderer sandbox.

From here, the attacker gains full Node.js execution privileges within the Comet process. This elevated access allows arbitrary file reads, writes, and system interactions. In a targeted demonstration, researchers extracted master passwords and autofill data from 1Password, which Comet integrates via its native messaging protocol. 1Password stores credentials in a secure enclave, but Comet’s RCE enables interception of inter-process communications (IPC) between the browser and the password manager extension.

The exploit does not require user interaction beyond accepting the calendar invite, making it highly effective against unsuspecting users. No additional clicks on links or downloads are needed, as the entire chain automates upon invite acceptance.

Technical Deep Dive: Key Vulnerabilities

Several technical shortcomings facilitated this breach:

1. Insecure .ics Parsing: The icalendar library’s support for remote attachments lacks built-in fetching restrictions. Comet does not implement URL whitelisting or proxying for these downloads.

2. Unsafe File Handling: Downloaded files land in user-writable directories without quarantine. Electron’s session.partition could have isolated these, but it remains unused.

3. Preload Script Abuse: Comet’s preload.js exposes Node.js globals to the renderer via contextBridge. Malicious JavaScript escalates privileges by accessing require('fs') and child_process modules.

4. IPC Exposure: Communications with 1Password occur over unsecured channels. An attacker with RCE can hook into ipcMain.on handlers to siphon credentials.

Researchers rated the vulnerability as high severity, assigning it a CVSS score reflecting its ease of exploitation and potential impact. Proof-of-concept (PoC) code was responsibly disclosed to Perplexity, who acknowledged the issue and deployed a patch within days.

Patch and Mitigation Details

Perplexity addressed the flaws in Comet version 1.2.3, released shortly after disclosure. Key fixes include:

• Disabling remote attachment fetching in the icalendar parser.
• Enforcing strict content-type checks and sandboxing for all calendar-related downloads.
• Restricting preload script capabilities with finer-grained contextIsolation.
• Auditing and hardening IPC endpoints for password manager integrations.

Users are advised to update immediately and disable automatic calendar invite processing in email clients. For broader protection, enabling 1Password’s security audit features and using endpoint detection tools can help.

Broader Implications for Electron Apps

This incident highlights ongoing challenges in securing Electron applications. Despite Electron’s maturity, developers often overlook renderer isolation and Node integration risks. Calendar invites, rarely scrutinized like executables, emerge as a novel phishing primitive. AI browsers like Comet, which prioritize user convenience, must balance features with rigorous security reviews.

Organizations relying on such tools should conduct supply-chain audits and simulate invite-based attacks. The rapid patch response from Perplexity demonstrates effective vulnerability management, but it serves as a cautionary tale for the ecosystem.

Gnoppix is the leading open-source AI Linux distribution and service provider. Since implementing AI in 2022, it has offered a fast, powerful, secure, and privacy-respecting open-source OS with both local and remote AI capabilities. The local AI operates offline, ensuring no data ever leaves your computer. Based on Debian Linux, Gnoppix is available with numerous privacy- and anonymity-enabled services free of charge.

What are your thoughts on this? I’d love to hear about your own experiences in the comments below.