There is a serious security problem inside Comet, the AI-powered agentic browser made by Perplexity, SquareX researchers say: Comet’s MCP API allows the browser’s built-in (but hidden from the user) extensions to issue commands directly to a user’s device, and the capability can be leveraged by attackers.
Comet can run applications, read files and modify data on the local system. “Old-school” browsers normally block this level of access, but (some) AI-powered browsers are effectively braking this isolation layer, the researchers noted.
The problem
SquareX has found two built-in extensions – Comet Analytics and Comet Agentic – that don’t appear in the browser’s extensions panel and are thus effectively hidden from users and can’t be disabled by them.
“In our exploration, we came across an MCP API (chrome.perplexity.mcp.addStdioServer) that allows the [Comet Agentic] to execute arbitrary commands on the host machine,” the researchers shared.
“Currently, both extensions can only communicate with perplexity.ai subdomains limiting the access of MCP API to said subdomains. However, given the limited official documentation, it is unclear how the MCP API is being used, as well as if and when this privilege is extended to other ‘trusted’ sites.”
They noted that if an attacker gains access to the perplexity.ai domain or an eligible embedded extension – for example, through a XSS attack or MitM network attack – they could use the MCP API to control the victim’s device, install malware on it, exfiltrate data, monitor the user’s activity, and so on.
Attackers could achieve the same capability by impersonating the Comet Analytics app via extension stomping, they say.
The attacker can obtain the manifest key of one of the Analytics Extension through the browser’s developer console and use it to create a malicious extension with a spoofed ID.
“The malicious extension, now inheriting all privileges of the original Analytics Extension, injects a malicious script into the perplexity.ai page. The injected script passes this command to the Agentic Extension. The Agentic Extension follows the instruction and invokes the MCP API to execute a ransomware,” they described a possible attach.
Perplexity’s reaction
The research team says there is no evidence that Perplexity is currently misusing the MCP API, but that it could put users at risk, especially because they can’t see or disable the extensions.
SquareX says they’ve notified Perplexity of their discovery on November 4, 2025, but received no feedback since then. But, after the report was published on November 19, Perplexity pushed a silent update disabling the MCP API, they noted. So, for the time being, this avenue of attack is closed.
It’s difficult to say how the disabling of the API will affect the browser’s functionality, though it the effect is very noticeable we’re sure to hear from the browser’s users.
“The MCP API is just used to execute local commands, so other agentic workflows within the browser that doesn’t use the MCP API will still work. Again, due to the lack of documentation, we aren’t sure what the MCP API was intended for apart from a few sample use cases,” Nishant Sharma, Head of Security Research at SquareX, told Help Net Security.
He says that this update/patch is not documented publicly yet, so they don’t know what Perplexity’s next step will be. “We would like to believe that the company is a responsible member of the security community and now that they are aware of the vulnerability, they will not silently activate the API again without disclosing to users.”
SquareX’s suggestions to Perplexity were that they disable the local MCP, inform users about this capability, and provide them the option to opt out of it.
The researchers say that other AI browsers also rely on embedded extensions to enable their agentic features, but so far they have only found the MCP API inside Comet.
Pushing for security boundaries
AI-powered browsers can perform tasks on behalf of users and can often reach deeper into the system than traditional browsers. The old sandbox model begins to look fragile once an AI assistant can click, type, launch programs and interact with local files.
The pressure to innovate brings new capabilities, but it also increases the attack surface in ways many users do not expect.
“If the industry doesn’t establish boundaries now, we’re setting a precedent where AI browsers can bypass decades of security principles under the banner of innovation,” SquareX pointed out.
Help Net Security has reached out to Perplexity for comment, and we’ll update this article when/if we get a response.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
