Critical Security Vulnerabilities Discovered in Perplexity Comet AI Browser: Hidden MCP API Enables Full Device Takeover and Command Execution

Cybersecurity researchers at SquareX have disclosed critical security vulnerabilities in Perplexity’s Comet AI browser that fundamentally challenge decades of browser security architecture. The research reveals an undocumented Model Context Protocol (MCP) API embedded within Comet that enables browser extensions to execute arbitrary local commands on users’ devices—capabilities that traditional browsers explicitly prohibit through established security controls.

The hidden API, identified as chrome.perplexity.mcp.addStdioServer, allows Comet’s embedded Agentic extension to bypass conventional browser sandboxing and gain system-level access typically reserved for native applications. This architectural decision reverses decades of browser security principles established by vendors including Google Chrome, Mozilla Firefox, and Apple Safari.

The most concerning aspect: The MCP API can be triggered directly from the perplexity.ai webpage, creating a covert execution channel that attackers could exploit through familiar techniques including cross-site scripting (XSS), man-in-the-middle (MitM) network attacks, compromised browser extensions, or insider threats targeting Perplexity infrastructure.

This security advisory provides comprehensive technical analysis, business impact assessment, proof-of-concept attack demonstrations, and actionable mitigation strategies for enterprise security teams evaluating AI-powered browsers for organizational deployment.

Understanding the Perplexity Comet Browser Architecture and Security Model

What Is Perplexity Comet and Why Does Its Security Matter?

Perplexity Comet represents a new generation of AI-powered “agentic” browsers designed to go beyond traditional web navigation by performing autonomous tasks on behalf of users. Launched as a premium offering at up to $200 per month for full-featured access, Comet integrates artificial intelligence capabilities directly into the browsing experience, enabling features such as:

Autonomous web page summarization and content analysis
Multi-step task execution based on natural language commands
Workflow orchestration across multiple websites and applications
Direct interaction with local system resources and files
AI-driven decision-making for navigation and data extraction

The browser positions itself at the intersection of web browsing and AI assistance, blurring traditional boundaries between trusted browser operations and untrusted web content. This architectural approach introduces novel security challenges that don’t exist in conventional browser designs.

The Hidden Extension Architecture: Analytics and Agentic Components

Comet ships with two bundled extensions that do not appear in chrome://extensions or any standard extension management dashboard, meaning users cannot disable or uninstall them through conventional methods. These hidden extensions include:

Analytics Extension: Appears to handle telemetry and usage tracking
Agentic Extension: Implements AI-powered autonomous task execution capabilities

The invisibility of these extensions from standard extension management interfaces creates what security researchers term “hidden IT”—components that neither security teams nor end users have visibility over, cannot monitor, and cannot disable even if they suspect compromise.

Technical Deep Dive: The Model Context Protocol (MCP) API Vulnerability

Architectural Security Flaw: Bypassing Browser Sandbox Protections

Traditional browsers require native messaging APIs with explicit registry entries and user consent for any local system access, adhering to strict security controls that prevent browsers and extensions from directly controlling the underlying device. Hackread Perplexity Comet fundamentally departs from this established security model.

The MCP API implementation enables:

Arbitrary local command execution: Extensions can run any operating system command without explicit user authorization
Application launching: Direct capability to start programs, scripts, and executables on the host system
File system access: Read and write operations on local storage without browser sandboxing restrictions
Network operations: Unrestricted network communications bypassing browser security policies
System configuration modifications: Potential to alter registry entries, system settings, and security configurations

SquareX researchers discovered the API directly in the Comet Analytics Extension source code by identifying the non-standard “chrome.perplexity” namespace that suggested custom additions to the Chromium codebase.

The Attack Surface: How Exploitation Occurs

The API is found in Comet’s Agentic extension and can be triggered by the Perplexity webpage to create a covert channel for Comet to access local data and launch arbitrary commands/apps without any user control.

Primary attack vectors include:

1. Extension Stomping Attacks Attackers can disguise malicious extensions as legitimate Comet components by spoofing extension IDs. Since Comet’s embedded extensions are hidden from standard extension management, users have no visibility into which extensions are actually running or their authenticity.

2. Cross-Site Scripting (XSS) Exploitation A single XSS vulnerability on perplexity.ai would provide attackers with the ability to inject malicious JavaScript that triggers the MCP API, executing arbitrary commands on every Comet user’s device visiting the compromised page.

3. Man-in-the-Middle (MitM) Network Attacks Network-level attackers positioned between users and Perplexity’s servers could intercept and modify traffic to inject malicious payloads that invoke the MCP API for command execution.

4. Compromised Perplexity Infrastructure A successful phishing attack against a Perplexity employee, an insider threat, or any security breach of Perplexity’s infrastructure would instantly grant attackers unprecedented control via the browser over every Comet user’s device.

5. Supply Chain Attacks Targeting Third-Party Extensions If additional third-party extensions gain access to the MCP API (which remains undocumented and unconfirmed), compromises of those extensions would provide system-level access to all Comet users.

Proof-of-Concept Attack Demonstration: WannaCry Ransomware Execution

SquareX Attack Demo: From Extension Stomping to Malware Deployment

SquareX’s research team demonstrated a complete exploitation chain using extension stomping to disguise a malicious extension as the embedded Analytics Extension by spoofing its extension ID.

Attack sequence:

Malicious extension sideloading: Researchers enabled developer mode and loaded a spoofed Analytics Extension with an identical extension ID
Script injection into perplexity.ai: The malicious extension injected JavaScript into the Perplexity webpage
Agentic Extension invocation: The injected script triggered the legitimate Agentic Extension
MCP API exploitation: The Agentic Extension used the MCP API to execute commands
WannaCry ransomware deployment: The final payload launched WannaCry malware on the victim’s device

While the demonstration leveraged extension stomping, researchers note that other techniques such as XSS and basic network MitM attacks are more than enough to achieve the same result, with an extremely low technical bar for exploitation.

Real-World Exploitation Scenarios

Scenario 1: Corporate Espionage via Compromised Perplexity Infrastructure Sophisticated threat actors compromise Perplexity’s web infrastructure through supply chain attacks or insider threats. Attackers inject malicious JavaScript into perplexity.ai pages that silently invoke the MCP API to:

Exfiltrate sensitive corporate documents from local file systems
Capture screenshots and keystrokes
Deploy persistent backdoors and remote access trojans (RATs)
Pivot to internal network resources and lateral movement

Scenario 2: Ransomware Distribution at Scale Cybercriminal groups exploit XSS vulnerabilities on perplexity.ai to deliver ransomware payloads to thousands of Comet users simultaneously. The MCP API enables direct ransomware execution without requiring social engineering, user interaction, or exploitation of additional vulnerabilities.

Scenario 3: State-Sponsored Surveillance Operations Nation-state actors target high-value individuals using Comet browser for web research and intelligence gathering. Compromising Perplexity infrastructure provides continuous system-level access for:

Real-time surveillance and monitoring
Data collection from sensitive government or corporate networks
Credential harvesting for additional compromises
Long-term persistent access mechanisms

Business Impact Assessment: Enterprise Risk Implications

The Catastrophic Third-Party Risk Model

This creates catastrophic third-party risk where users have resigned their device security to Perplexity’s security posture, with no easy way to assess or mitigate the risk.

Risk quantification for enterprise environments:

Information Security Risks:

Complete endpoint compromise: Full system-level access equivalent to administrative privileges
Data exfiltration capabilities: Unrestricted access to local files, credentials, and sensitive information
Network propagation: Compromised endpoints serve as launching points for lateral movement
Compliance violations: Potential breaches of data protection regulations (GDPR, CCPA, HIPAA, SOX)

Operational Continuity Risks:

Ransomware deployment: Direct execution capabilities without traditional infection vectors
Service disruption: System modifications could render workstations inoperable
Recovery complexity: Unknown persistence mechanisms complicate incident response
Business continuity impacts: Widespread compromise could halt critical business operations

Reputational and Legal Risks:

Customer data breaches: Exposure of client information through compromised systems
Regulatory penalties: Non-compliance with security standards and data protection laws
Litigation exposure: Class-action lawsuits from affected customers and partners
Trust degradation: Loss of customer confidence in security capabilities

Enterprise Adoption Concerns and Market Response

Security analyst John Grady from Omdia noted that most organizations have already classified AI browsers conservatively, treating them as unsanctioned applications until they can fully assess the tradeoffs.

Current enterprise security posture regarding AI browsers:

Shadow IT classification: Most organizations have not formally approved AI browsers for corporate use
Risk appetite limitations: Security teams unwilling to accept unquantified third-party risks
Due diligence requirements: Lack of independent security audits and certifications
Alternative availability: Established browsers with proven security models remain preferred

Perplexity’s Response and Remediation Efforts

Vendor Communication and Mitigation Timeline

Perplexity acknowledged taking action “out of abundance of caution” by silently updating the Comet browser to disable the MCP API after receiving SquareX’s disclosure.

Disclosure and response timeline:

Initial disclosure: SquareX privately disclosed findings to Perplexity before public release
Limited vendor response: Perplexity initially declined to comment on the research
Silent patch deployment: MCP API disabled through automatic browser update without public documentation
No public acknowledgment: Update changelog does not reference security fixes or MCP API changes
Ongoing concerns: Researchers note update is undocumented, raising questions about permanent mitigation

Controversy Around Research Characterization

A Perplexity spokesperson characterized SquareX’s report as a “fake research report,” stating they work closely with security researchers worldwide through a thriving bug bounty program.

Points of contention:

Extension stomping prerequisites: Perplexity argues the attack requires local device access and developer mode enablement
Real-world exploitability: Vendor disputes whether XSS and MitM vectors are practical exploitation methods
Responsible disclosure handling: Disagreement over appropriate disclosure timelines and public communication
Security posture representation: Differing perspectives on whether the MCP API constitutes a vulnerability

Security community consensus: Independent security experts agree that the low technical bar for exploitation and the presence of undocumented system-level APIs raise legitimate security concerns regardless of attack prerequisites.

Technical Mitigation Strategies and Security Best Practices

Immediate Actions for Enterprise Security Teams

Priority 1: Assess Current Exposure and Usage Patterns

Inventory AI browser deployments: Identify all instances of Comet and similar AI browsers across corporate endpoints
Review access logs: Analyze authentication logs and browser usage patterns for suspicious activity
Evaluate data sensitivity: Determine what sensitive information is accessible from devices running Comet
Risk assessment: Quantify potential business impact based on current deployment scope

Priority 2: Implement Access Controls and Network Restrictions

Application whitelisting enforcement: Block execution of unapproved AI browsers through endpoint security policies
Network segmentation: Isolate devices running AI browsers from critical business systems
Proxy and filtering: Route AI browser traffic through security proxies with deep packet inspection
Zero Trust architecture: Implement strict authentication and authorization controls for all applications

Priority 3: User Education and Security Awareness

AI browser risk communication: Educate employees about security implications of AI-powered browsing
Approved browser policies: Clearly communicate organizational standards for browser selection
Security reporting channels: Establish mechanisms for employees to report suspicious browser behavior
Phishing awareness: Train users to recognize social engineering attempts targeting browser vulnerabilities

Long-Term Strategic Security Enhancements

Establish AI Application Vetting Framework

Organizations must develop comprehensive evaluation criteria for AI-powered applications before enterprise deployment:

Independent security audits: Require third-party security assessments and penetration testing
Architecture reviews: Evaluate system-level API implementations and privilege requirements
Documentation standards: Demand complete documentation of security-relevant features and APIs
Transparency requirements: Insist on visible extension management and user control capabilities
Incident response planning: Develop procedures for handling AI application security incidents

Browser Security Hardening and Monitoring

Extension management policies: Restrict extension installation to organization-approved sources
Browser isolation technologies: Implement remote browser isolation for high-risk web navigation
Behavioral analytics: Deploy user and entity behavior analytics (UEBA) for anomaly detection
Endpoint detection and response (EDR): Ensure comprehensive EDR coverage with behavioral monitoring

Broader Implications: The Future of AI Browser Security

Architectural Security Challenges in Agentic Browsing

In the race to win the next browser war, many AI browser companies are shipping features so quickly that it has come at the cost of proper documentation and security measures.

Fundamental tensions in AI browser design:

Innovation vs. Security Trade-offs AI browsers promise enhanced productivity through autonomous task execution, but these capabilities inherently require elevated system access that conflicts with browser sandboxing principles.

User Experience vs. Transparency Seamless AI assistance requires background operations and automated decision-making, but this opacity prevents users from understanding and controlling system-level activities.

Performance vs. Isolation Real-time AI processing benefits from direct system access, but security isolation mechanisms that prevent malicious behavior introduce performance overhead.

Industry-Wide Security Recommendations

SquareX emphasizes that AI browsers must disclose all system-level APIs, undergo independent security audits, and give users the ability to disable embedded extensions.

Minimum security standards for AI browser vendors:

Complete API documentation: Publish comprehensive technical documentation for all custom APIs and system-level capabilities
Explicit user consent: Require informed consent before enabling system-level access features
Extension visibility and control: Make all embedded extensions visible in standard management interfaces with user-controlled enable/disable functionality
Security audit transparency: Publish results of independent third-party security assessments and penetration tests
Bug bounty programs: Establish responsible disclosure programs with appropriate reward structures
Incident response capabilities: Develop and document procedures for responding to security vulnerabilities
Regulatory compliance: Adhere to applicable security standards and data protection regulations

Regulatory and Compliance Considerations

Potential regulatory scrutiny areas:

Data protection compliance: GDPR, CCPA requirements for user data processing and consent
Security standards adherence: SOC 2, ISO 27001 certification for enterprise deployments
Industry-specific regulations: HIPAA for healthcare, PCI DSS for payment processing, FedRAMP for government
Emerging AI regulations: EU AI Act and similar frameworks governing AI system safety and transparency

Competitive Landscape: AI Browser Security Across the Industry

How Other AI Browsers Handle System-Level Access

While other AI browsers also rely on embedded extensions to enable their agentic features, researchers have only found the MCP API inside Comet so far.

Comparative analysis of AI browser security models:

Microsoft Edge Copilot

Integrates AI assistance through Microsoft’s ecosystem with established security controls
Leverages existing Windows security architecture for system-level operations
Subject to Microsoft’s security development lifecycle (SDL) and regular security audits

Brave AI Browser Features

Implements AI capabilities with stricter privacy-preserving architecture
Maintains traditional browser sandboxing for extension operations
Open-source codebase enables community security review

Google Chrome AI Features

Incorporates machine learning capabilities while maintaining sandbox integrity
Requires explicit permissions for any system-level access
Extensive security research and bug bounty program history

Arc Browser

Provides productivity features through conventional browser APIs
No evidence of undocumented system-level access mechanisms
Regular security updates through standard browser update channels

SiteGuarding’s Professional AI Browser Security Assessment Services

At SiteGuarding, we recognize the evolving threat landscape created by AI-powered applications and next-generation browsers. Our comprehensive cybersecurity services help enterprises navigate the security implications of AI integration while maintaining robust protection against emerging threats.

Our AI Application Security Solutions Include:

AI Browser and Application Security Audits

Comprehensive security assessments of AI-powered browsers and applications
API vulnerability analysis and privilege escalation testing
Extension security review and supply chain risk evaluation
Architecture security design consultation for AI application adoption

Enterprise Browser Security Implementation

Secure browser deployment strategies and configuration management
Browser isolation technology implementation and optimization
Extension management policies and enforcement mechanisms
User activity monitoring and behavioral analytics

Third-Party Risk Management for AI Technologies

Vendor security assessment frameworks for AI service providers
Supply chain security analysis and risk quantification
Contractual security requirement development
Continuous vendor security monitoring and compliance verification

Incident Response and Forensics for AI-Related Compromises

Rapid response services for suspected AI browser compromises
Digital forensics analysis of browser extension malware
Post-incident remediation and security enhancement
Threat intelligence integration for proactive defense

Security Awareness Training for AI Technologies

Customized training programs covering AI browser security risks
Hands-on workshops demonstrating AI-related attack vectors
Executive briefings on emerging AI security challenges
Security culture development for AI-first organizations

Contact our AI security specialists to discuss comprehensive risk assessment and mitigation strategies for AI browser deployments and next-generation application security.

Conclusion: Navigating the AI Browser Security Landscape

The discovery of undocumented system-level APIs in Perplexity’s Comet browser represents a watershed moment for AI-powered application security. While AI browsers promise revolutionary productivity enhancements through autonomous task execution and intelligent assistance, these capabilities cannot come at the expense of fundamental security principles established over decades of browser development.

Key takeaways for enterprise security decision-makers:

✓ Exercise extreme caution when evaluating AI browsers for enterprise deployment until independent security audits confirm robust security architectures

✓ Demand transparency from AI browser vendors regarding all system-level APIs, embedded extensions, and privilege requirements

✓ Implement defense-in-depth strategies including application control, network segmentation, and behavioral monitoring for any AI browser deployments

✓ Establish comprehensive vetting frameworks for AI applications that balance innovation with security risk management

✓ Maintain vigilance through continuous monitoring and threat intelligence integration as the AI browser landscape evolves

✓ Prioritize established browsers with proven security track records until AI browsers demonstrate mature security practices

The Comet MCP API vulnerability serves as a critical reminder that the rush to integrate AI capabilities must not compromise the foundational security principles that protect users and organizations. As the industry continues innovating in AI-powered browsing, vendors must prioritize security-by-design approaches, transparent communication with users, and adherence to established browser security standards.

For now, organizations should approach AI browsers with appropriate skepticism, implementing rigorous evaluation processes before deployment and maintaining strong compensating controls for any AI browser usage in enterprise environments.

Additional Resources and Technical References

Original Security Research:

SquareX Security Advisory: Comet Browser MCP API Vulnerability
SquareX Technical Analysis and Proof-of-Concept Demonstrations
Browser Native In-Depth Technical Coverage

Industry Analysis and Expert Commentary:

AI Browser Security Best Practices:

Browser Security Standards and Guidelines (OWASP)
Enterprise Security Configuration Baselines
AI Application Security Assessment Frameworks