Security researchers from web browser security firm SquareX have issued a public warning after uncovering a vulnerability in Perplexity’s Comet AI browser. Their research, published on November 19, 2025, reveals a hidden feature that could allow cybercriminals complete control over a user’s computer.
The Concealed API Threat
The problem lies with a secretive mechanism called the MCP API (specifically, chrome.perplexity.mcp.addStdioServer). For your information, traditional web browsing relies on ‘sandbox isolation,’ a principle that intentionally locks down the browser environment to prevent websites or extensions from running programs on your PC.
However, the MCP API allows Comet’s own ‘embedded extensions’ to bypass this vital security layer, allowing them to execute any command on your device without asking for permission. This means that a breach could lead to malicious software installation, data theft, or device monitoring.
This feature has caused a massive breach of trust, particularly because official documentation for the MCP API is nearly non-existent, while the few available details only explain the feature’s intent, and don’t disclose that Comet’s extensions maintain persistent access to the API and can launch local applications arbitrarily. SquareX argues this functionality breaks decades of established browser security standards.
Invisible Extensions, Zero Control
Researchers found that the Comet browser comes pre-loaded with two hidden extensions: one for analytics and one for its AI agent features. These components power the browser’s agentic capabilities (its ability to act on your behalf). The MCP API resides in the Agentic extension and can be activated directly by the Perplexity website, creating a secret channel to access local data.
SquareX demonstrated the attack using extension stomping, where they disguised a malicious extension that then commanded the Agentic Extension to invoke the MCP API, and successfully launched WannaCry.
The team also noted that common vulnerabilities like XSS and MitM network attacks could be used to exploit this vulnerability just as easily. A compromise of Perplexity’s systems would instantly create a disastrous third-party risk, giving attackers unprecedented control over Comet users.
Warning for the AI Browser Future
While SquareX notes there is no evidence of Perplexity currently misusing this capability, the third-party risk remains substantial. They first contacted Perplexity to disclose the attack on Tuesday, November 4th, 2025, but as of the writing of their report, they had not received a reply. The firm clarified that this specific, vulnerable API has only been found in Comet among current AI browsers.
This discovery highlights inherent issues in the design of the new generation of AI browsers. SquareX is urging Perplexity and other AI browser makers to fully disclose all powerful APIs and provide users with a simple option to disable any embedded extensions that possess system-level access.
Expert Commentary:
Security experts shared their analysis with Hackread.com on the broader implications for security and the enterprise. Randolph Barr, Chief Information Security Officer at Cequence Security, said the findings highlight a “deeper issue that goes beyond a single browser implementation.”
He emphasised that the shift breaks long-standing security assumptions: “AI-native browsers are introducing system-level behaviours that traditional browsers have intentionally restricted for decades… When embedded extensions can trigger OS-level actions… the browser effectively becomes a privileged agent on the device.”
Barr noted this creates an “expanded attack surface” driven by curiosity-driven adoption by employees on personal devices, behaviours that “inevitably bleed into the workplace.”
He also pointed out that AI browsers are easy targets, stating, “Attackers can identify them with a few lines of JavaScript or by probing for AI-specific behaviours… At scale, that enables targeted attacks against users running these higher-risk, agent-enabled environments.”
Ronald Lewis, Senior Innovation Manager at Black Duck, reminded users that AI browsers carry inherited risks alongside new ones. He pointed out that the Comet AI Browser “incorporates many of the risks associated with traditional browsers but also incorporates a significant number of AI-borne risks.”
Lewis suggested consumers be vigilant and proactively think about risks such as the potential for the AI tool to perform harmful or unexpected actions due to ambiguous instructions, whether it could respond to hidden system instructions, if external sources could manipulate the tool’s behaviour, and if third-party integrations could interact with the tool to trigger unintended actions.