A newly disclosed flaw in Perplexity’s Comet web browser has revealed that an internal API allowed hidden extensions to run commands directly on user devices, a capability beyond what modern browsers typically permit.
The issue was uncovered by security researchers at SquareX, who determined that Comet included two embedded extensions with elevated privileges: an analytics component and an automation-focused “agentic” extension. These extensions were not visible in the extensions menu, meaning users had no way to review, disable, or control them.
At the center of the finding is a private interface called the MCP API, which enabled extensions to execute arbitrary local commands through the call “chrome.perplexity.mcp.addStdioServer.”
Because the API was not documented and didn’t appear in Comet’s terms of service, users were unaware the browser possessed device-level execution capabilities normally restricted for security reasons.
How the Attack Worked
SquareX showed that the design introduced a significant attack surface. By obtaining the manifest key of Comet’s legitimate analytics extension, an attacker could create a spoofed extension — a technique known as extension stomping. Once sideloaded, Comet accepted the malicious extension as its own and hid it from view.
From there, the attacker could inject code into perplexity-owned pages and trigger the agentic extension to call the MCP API, enabling full local command execution.
In testing, SquareX used this method to run WannaCry ransomware on a controlled system.
The researchers emphasized that mainstream browsers enforce strict sandboxing and require explicit user approval for any local application interaction. Comet’s undocumented API bypassed those protections, undermining a foundational browser security principle.
Perplexity released a silent patch on November 20 that disabled the MCP API, with SquareX calling for clearer documentation and transparency going forward.
The incident highlights growing concerns around AI-powered browsers, where advanced automation features may introduce system-level risks that users cannot see or control.
Check out SquareX’s official labs report for full technical analysis and proof of concept here.
Leave a Reply