Perplexity Comet Browser Flaw Exposed Users to System Attacks
▼ Summary
– Comet browser’s hidden extensions can execute arbitrary commands on users’ devices through an MCP API, bypassing traditional browser security isolation.
– Attackers could exploit this via domain compromise or extension impersonation to install malware, steal data, or control devices without user consent.
– Perplexity silently disabled the MCP API after the vulnerability was publicly reported, though the functionality’s original purpose remains unclear due to limited documentation.
– SquareX researchers argue users should be informed about and able to opt out of such powerful features, emphasizing transparency in AI browser security risks.
– The incident highlights broader concerns about AI browsers eroding security boundaries by embedding privileged, hidden components that tie device safety to company integrity.
A significant security vulnerability has been identified within Perplexity’s Comet browser, an AI-driven application that fundamentally alters how users interact with the web. Security researchers from SquareX uncovered a critical flaw involving the browser’s MCP API, which grants built-in extensions the ability to execute commands directly on a user’s operating system. This capability effectively bypasses traditional browser security measures, creating potential avenues for system-wide attacks.
The investigation revealed two specific extensions, Comet Analytics and Comet Agentic, that remain invisible within the browser’s extension management interface. Because users cannot view or disable these components, they operate without oversight. Researchers identified an MCP API function that permits the Comet Agentic extension to run arbitrary commands on the host computer. While current implementation restricts communication to Perplexity subdomains, the lack of public documentation leaves questions about how this powerful tool might be expanded in the future.
Security experts warn that if attackers compromise Perplexity’s domains through cross-site scripting or man-in-the-network attacks, they could potentially harness the MCP API to take control of devices, deploy malicious software, or steal sensitive information. Another attack method involves extension stomping, where malicious actors impersonate the Comet Analytics extension by obtaining its manifest key through developer tools. A fake extension created this way could inherit all original privileges and inject harmful scripts that trigger ransomware deployment through the MCP API.
SquareX reported their findings to Perplexity on November 4, 2025, but received no initial response. Following public disclosure on November 19, the company deployed a silent update that disabled the vulnerable API. While this action temporarily closes the security gap, researchers note the long-term implications remain uncertain since the update’s effect on browser functionality hasn’t been documented.
According to Nishant Sharma, Head of Security Research at SquareX, the MCP API’s primary function appears to be executing local commands, though its full intended purpose remains unclear due to limited documentation. The research team recommends that Perplexity maintain the disabled state of the local MCP capability, transparently inform users about such system access, and provide clear opt-out mechanisms.
The situation highlights broader concerns about AI-powered browsers that increasingly operate outside traditional security boundaries. These applications can perform complex tasks on behalf of users, including program execution and file system interaction, which challenges the established sandbox model that has protected users for decades. Security professionals emphasize that without proper safeguards, innovation in AI browsers could undermine fundamental security principles.
In response to the published report, Perplexity representatives questioned SquareX’s demonstration methodology, noting that researchers manually enabled developer mode to conduct their extension stomping proof-of-concept. The company maintains that user consent is required for local MCP installation and command execution, characterizing claims about hidden APIs as inaccurate.
However, SquareX researchers counter that their attack demonstration required no local MCP installation or additional user consent, functioning on standard Comet browser installations across both macOS and Windows platforms. They emphasize that the core vulnerability lies in the MCP API’s unprecedented system access permissions, which operate without explicit user authorization or disable options.
The fundamental security question revolves around whether AI browsers should incorporate hidden components capable of bypassing browser sandbox protections. This creates a situation where device security becomes directly dependent on the vendor’s infrastructure security. While some users might accept this trade-off for enhanced functionality, SquareX advocates for greater transparency so users can make informed decisions about their security posture.
Perplexity has acknowledged disabling the MCP API as a precautionary measure, citing concerns that public attention might inspire additional attack attempts. The company emphasizes its ongoing collaboration with security researchers through bug bounty programs and maintains robust internal security protocols, though independent verification of these safeguards remains unavailable.
The incident underscores the evolving security landscape surrounding AI-enhanced browsers and the importance of maintaining clear boundaries between browser functionality and system-level access as these tools become more sophisticated in their capabilities.
(Source: HelpNet Security)
