Security gap in Perplexity’s Comet browser exposed users to system-level attacks

There is a serious security problem inside Comet, the AI-powered agentic browser made by Perplexity, SquareX researchers say: Comet’s MCP API allows the browser’s built-in (but hidden from the user) extensions to issue commands directly to a user’s device, and the capability can be leveraged by attackers.

Comet can run applications, read files and modify data on the local system. “Old-school” browsers normally block this level of access, but (some) AI-powered browsers are effectively braking this isolation layer, the researchers noted.

The problem

SquareX has found two built-in extensions – Comet Analytics and Comet Agentic – that don’t appear in the browser’s extensions panel and are thus effectively hidden from users and can’t be disabled by them.

“In our exploration, we came across an MCP API (chrome.perplexity.mcp.addStdioServer) that allows the [Comet Agentic] to execute arbitrary commands on the host machine,” the researchers shared.

“Currently, both extensions can only communicate with perplexity.ai subdomains limiting the access of MCP API to said subdomains. However, given the limited official documentation, it is unclear how the MCP API is being used, as well as if and when this privilege is extended to other ‘trusted’ sites.”

They noted that if an attacker gains access to the perplexity.ai domain or an eligible embedded extension – for example, through a XSS attack or MitM network attack – they could use the MCP API to control the victim’s device, install malware on it, exfiltrate data, monitor the user’s activity, and so on.

Attackers could achieve the same capability by impersonating the Comet Analytics app via extension stomping, they say.

The attacker can obtain the manifest key of one of the Analytics Extension through the browser’s developer console and use it to create a malicious extension with a spoofed ID.

“The malicious extension, now inheriting all privileges of the original Analytics Extension, injects a malicious script into the perplexity.ai page. The injected script passes this command to the Agentic Extension. The Agentic Extension follows the instruction and invokes the MCP API to execute a ransomware,” they described a possible attack.

Perplexity’s reaction

The research team says there is no evidence that Perplexity is currently misusing the MCP API, but that it could put users at risk, especially because they can’t see or disable the extensions.

SquareX says they’ve notified Perplexity of their discovery on November 4, 2025, but received no feedback since then. But, after the report was published on November 19, Perplexity pushed a silent update disabling the MCP API, they noted. So, for the time being, this avenue of attack is closed.

It’s difficult to say how the disabling of the API will affect the browser’s functionality, though it the effect is very noticeable we’re sure to hear from the browser’s users.

“The MCP API is just used to execute local commands, so other agentic workflows within the browser that doesn’t use the MCP API will still work. Again, due to the lack of documentation, we aren’t sure what the MCP API was intended for apart from a few sample use cases,” Nishant Sharma, Head of Security Research at SquareX, told Help Net Security.

He says that this update/patch is not documented publicly yet, so they don’t know what Perplexity’s next step will be. “We would like to believe that the company is a responsible member of the security community and now that they are aware of the vulnerability, they will not silently activate the API again without disclosing to users.”

SquareX’s suggestions to Perplexity were that they disable the local MCP, inform users about this capability, and provide them the option to opt out of it.

The researchers say that other AI browsers also rely on embedded extensions to enable their agentic features, but so far they have only found the MCP API inside Comet.

Pushing for security boundaries

AI-powered browsers can perform tasks on behalf of users and can often reach deeper into the system than traditional browsers. The old sandbox model begins to look fragile once an AI assistant can click, type, launch programs and interact with local files.

The pressure to innovate brings new capabilities, but it also increases the attack surface in ways many users do not expect.

“If the industry doesn’t establish boundaries now, we’re setting a precedent where AI browsers can bypass decades of security principles under the banner of innovation,” SquareX pointed out.

UPDATE (November 20, 2025, 4:20 p.m. ET):

A Perplexity spokesperson told Help Net Security that SquareX’s video demo of the extension stomping/sideloading attack shows “a human doing what they claim the Comet agent is doing (i.e., sideloading malware)” and that “you can see them manually turn on developer mode.”

SquareX’s Nishant says that they never claimed that Comet sideloaded the extension itself.

“We enabled the developer mode and sideloaded the extension to perform Extension stomping. However, extension stomping is just one way to exploit the MCP API which we used in the POC demo as it allows us to show how the MCP API can be misused without compromising Perplexity.”

In the wild, it is more likely that the initial access would happen via an XSS or network MitM attack as it involves the most minimal end user involvement, he added.

“The key vulnerability we were trying to highlight is not extension stomping – this is a pretty well known technique, but rather the MCP API itself that has unprecedented permissions to access the endpoint, without explicit user permissions or even the ability to disable it. This creates a massive third-party risk for end users that has never been seen before with other browsers, and unless we believe that Perplexity will never be compromised, the MCP API is wide open to misuse by attackers,” he noted.

The Perplexity spokesperson also told Help Net Security that SquareX’s claim that Comet does not explicitly obtain user consent for any local system access is “categorically false.”

“When installing local MCPs we require user consent – users are the ones setting it up and calling the MCP API. They specify exactly what command to run. Any additional command from the MCP (ex. AI tool calling) also requires user confirmation. What they are describing as a ‘hidden API’ is how Comet can run MCPs locally, and permission and user consent are clearly obtained,” they noted.

But Nishant pointed out that they did not have to install any local MCP or provide additional user consent to conduct the attack, nor did the user have to specify any MCP commands. According to their report, the Comet Agentic Extension uses the MCP API.

“Before the silent fix update, this attack was working on every Comet browser installed on MacOS and Windows machines without any additional configuration. This has also been replicated by other non-SquareX researchers independently on their own setups,” he told Help Net Security.

“Hence, we felt that it was critical that users at least know that Comet has the ability to execute local commands without their permission, and our hope is that Perplexity will include this more clearly in their Terms & Conditions/documentation and provide an option for users to opt out of such a powerful feature if they deem the risk unnecessary.”

SquareX is, effectively, warning about third-party risk: if you use Comet, you are trusting Perplexity’s servers, employees, and internal security practices. If Perplexity gets compromised, either via an XSS bug on a Perplexity domain, a phishing attack that steals an employee’s credentials, or an insider misusing access, attackers could abuse the hidden, privileged browser extensions Comet ships with, they claim.

Perplexity’s spokesperson says the risk of phishing scenario only matters if an employee with Comet production access gets phished, which is a risk that any tech company faces. Also, they pointed out, SquareX has “no knowledge or audit of our internal security safeguards and protocols.”

The core issue is here seems to be whether AI browsers should contain “hidden” components that can reach outside the browser sandbox. If they do, then the security of the device is tied directly to the security of the company.

To some, that might be an unacceptable risk, but others might see it as an acceptable trade-off. SquareX thinks that users should be given enough transparency to decide for themselves whether that trade-off is worth it.

As regards the “silent” update of the Comet browser that disabled MCP API, the Perplexity spokesperson acknowledged the action, due to “abundance of caution”.

The publishing of SquareX’s report will likely spur a lot of people to try different attacks of their own, they said, and if even one novel attack is successful due to the attention caused by what they consider to be a fake research report, “we’ve still failed our users.”

“We work closely with security researchers all over the world and have a thriving bug bounty program with security researchers working defensively and proactively to identify and patch potential vulnerabilities 24/7,” they added.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!