.png){kind=logo}
Palo Alto, California, November 19th, 2025, CyberNewsWire
SquareX released critical research exposing a hidden API in Comet that allows extensions in the AI Browser to execute local commands and gain full control over users' devices. The research reveals that Comet has implemented a MCP API (chrome.perplexity.mcp.addStdioServer) that allows its embedded extensions to execute arbitrary local commands on users' devices, capabilities that traditional browsers explicitly prohibit. Concerningly, there is limited official documentation on the MCP API. Existing documentation only covers the intent of the feature, without disclosing that Comet’s embedded extensions have persistent access to the API and the ability to launch local apps arbitrarily without user permission, creating a massive breach of user trust and transparency.
"For decades, browser vendors have adhered to strict security controls that prevent browsers, and especially extensions, from directly controlling the underlying device," explains Kabilan Sakthivel, Researcher at SquareX. "Traditional browsers require native messaging APIs with explicit registry entries and user consent for any local system access. In their ambition to make the browser more powerful, Comet has bypassed all of these safeguards with a hidden API that most users don't even know exists. This erosion of user trust fundamentally reverses the clock on decades of browser security principles established by vendors like Chrome, Safari, and Firefox."
Currently, the API is found in the Agentic extension, and it can be triggered by the perplexity.ai page, creating a covert channel for Comet to access local data and launch arbitrary commands/apps without any user control. While there is no evidence that Perplexity is currently misusing the MCP API, the question is not if but when Perplexity will be compromised. A single XSS vulnerability, a successful phishing attack against a Perplexity employee, or an insider threat would instantly grant attackers unprecedented control via the browser over every Comet user's device. This creates catastrophic third-party risk where users have resigned their device security to Perplexity's security posture, with no easy way to assess or mitigate the risk.
In SquareX’s attack demo, the research team used extension stomping to disguise a malicious extension as the embedded Analytics Extension by spoofing its extension ID. Once sideloaded, the malicious Analytics Extension injects a script into the perplexity.ai page, which in turn invokes the Agentic Extension which finally uses the MCP to execute WannaCry on the victim’s device. While the demonstration leveraged extension stomping, other techniques such as XSS, MitM network attacks that exploits the perplexity.ai or the embedded extensions can also lead to the same result.
More worryingly, as both extensions are critical to Comet’s agentic functionality, Perplexity has hidden them from Comet extension dashboard, preventing users from disabling them even if they are compromised. These embedded extensions become a “hidden IT” that security teams nor users have zero visibility over. Furthermore, due to the lack of documentation, there is no way to know whether or when Comet might expand access to other "trusted" sites.
While other AI Browsers also have embedded extensions, we have only found the MCP API in Comet for now. We have disclosed the attack to Perplexity, but have not heard a response.
Similar to the OS and search engine, owning the platform where the majority of modern work occurs has always been the grand ambition for many tech companies. With AI, there is now the opportunity to make browsers more powerful than ever before. Yet, in the race to win the next browser war, many AI Browser companies are shipping features so quickly that it has come at the cost of proper documentation and security measures.
The MCP API exploits serve as an early warning to the third-party risks that poor implementation of AI Browsers can expose users to. "The early implementation of device control APIs in AI browsers is extremely dangerous," Vivek Ramachandran, Founder of SquareX emphasizes. "We're essentially seeing browser vendors grant themselves, and potentially third parties, the kind of system-level access that would require explicit user consent and security review in any traditional browser. Users deserve to know when software has this level of control over their devices."
Without demand for accountability from users and the security community, other AI browsers will race to implement similar, or more invasive, capabilities to remain competitive. SquareX is calling on AI browser vendors to mandate disclosure for all APIs, undergo third-party security audits, and provide users with controls to disable embedded extensions. This isn't just about one API in one browser. If the industry doesn't establish boundaries now, we're setting a precedent where AI browsers can bypass decades of security principles under the banner of innovation.
Demo Video
For more information, users can refer to the technical blog.
SquareX's browser extension turns any browser on any device into an enterprise-grade secure browser, including AI Browsers. SquareX's industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively defend against browser-native threats including rogue AI agents, Last Mile Reassembly Attacks, malicious extensions and identity attacks. Unlike dedicated enterprise browsers, SquareX seamlessly integrates with users' existing consumer browsers, delivering security without compromising user experience. Users can find out more about SquareX’s research-led innovation at www.sqrx.com.
Head of PR
Junice Liew
SquareX
junice@sqrx.com
This is a paid press release published via CyberNewswire, a PR newswire syndication platform for cybersecurity companies
