Comet, Perplexity’s AI-powered browser, faces accusations from cybersecurity firm SquareX over a purported vulnerability in its MCP API. SquareX researchers identified the API within the Agentic extension of Comet. This API enables execution of arbitrary local commands on users’ devices. Traditional browsers such as Chrome, Safari, and Firefox prohibit such capabilities in extensions. SquareX stated the API can activate from the perplexity.ai webpage. An attacker compromising the Perplexity site could then access devices of Comet users.
SquareX researcher Kabilan Sakthivel described the issue as a departure from established browser security controls. Perplexity spokesperson Jesse Dwyer responded in writing to Techplugged. Dwyer labeled the SquareX report entirely false. The company emphasized the need for specific user actions to trigger the API. Users must enable developer mode in Comet. They must also manually sideload the extension containing the API. Perplexity clarified these steps require human intervention, not automation by the Comet Assistant.
Perplexity addressed claims of lacking user consent for local system access. The company stated users provide consent when installing local MCPs. Users configure the MCPs and specify commands for the API. Any further commands from the MCP, such as those from AI tool calls, require additional user confirmation. Perplexity described the so-called hidden API as the standard method for running MCPs locally. This process follows user permission and consent protocols.
Dwyer noted prior issues with SquareX research. This marks the second instance of what Perplexity views as false security claims from the firm. Perplexity previously disproved the first report. Dwyer also contested SquareX’s account of their disclosure process. SquareX sent a Google Doc link without context or access permissions. Perplexity informed SquareX of the inability to open the document. The company requested access but received no reply or granted permissions.
SquareX maintained its position against Perplexity’s rebuttal. The firm observed a silent update to Comet following its proof-of-concept demonstration. The POC now returns a message stating Local MCP is not enabled. SquareX reported three external researchers replicated the attack. Perplexity addressed the issue hours before SquareX’s update. SquareX expressed satisfaction with the fix from a security standpoint. The firm credited its research for contributing to improvements in the AI browser’s safety. SquareX added it received no response from Perplexity on its vulnerability disclosure program submission.
The exchange highlights ongoing debates in AI browser security practices. Comet integrates AI features that extend beyond standard browsing functions. The MCP API supports local processing for certain tasks. Perplexity positions these as user-controlled features. SquareX focuses on potential risks from extension capabilities. Both sides reference established industry standards for browser extensions. Chrome, Safari, and Firefox maintain strict sandboxing to prevent local command execution. Comet’s design incorporates developer options for advanced users. These options include sideloading and MCP configuration.
Perplexity launched Comet as part of its push into AI-native browsing tools. The browser embeds AI assistance directly into the interface. Features like the Agentic extension aim to enhance productivity through local integrations. SquareX research underscores challenges in balancing AI capabilities with security isolation. Users enabling developer mode gain access to experimental features. This mode exposes additional APIs like MCP for custom setups. Perplexity requires explicit consents at each step of MCP usage. The firm stresses manual user actions prevent unauthorized execution.
SquareX detailed its findings in a public report. The report included a proof-of-concept for the API trigger. Researchers demonstrated command execution from the perplexity.ai domain. External validations confirmed the replication steps. Perplexity’s update altered the API behavior post-disclosure. SquareX viewed this as validation of the original claim. The firm operates as a cybersecurity outfit focused on browser and AI threats. Its reports often target emerging technologies. Perplexity tracks multiple such disclosures from SquareX. The company advocates for responsible research practices including proper vulnerability reporting channels.
