- SquareX Discovered MCP API Hidden in Comet Browser Allowing Execution of Arbitrary Local Commands
- A vulnerability in the Agentic extension could allow attackers to hack devices via the compromised perplexity.ai site.
- The demo showed WannaCry running; Researchers warn that third-party catastrophic risk is inevitable
Cybersecurity experts at SquareX say they have found a major vulnerability in Comet, the AI browser built by Perplexity, that could allow malicious actors to take full control of the victim’s device.
SquareX discovered that the browser has a hidden API capable of executing local commands (commands on the underlying operating system, as opposed to just the browser).
This API, which the researchers named MCP API (chrome.perplexity.mcp.addStdioServer), appears to be a custom implementation of a more general “Model Context Protocol” and “allows its built-in extensions to execute arbitrary local commands on users’ devices, capabilities that traditional browsers explicitly prohibit.”
Just a matter of time
Kabilan Sakthivel, a researcher at SquareX, said failing to adhere to the strict security controls the industry has evolved toward “reverses the course of decades of browser security principles established by vendors like Chrome, Safari and Firefox.”
SquareX says it found the API in the Agentic extension, which can be triggered by the perplexity.ai page. This means that if someone breaks into the Perplexity site, they will have access to the devices of all its users.
For researchers, it’s not a question of “if,” but rather “when.”
“A single XSS vulnerability, a successful phishing attack against a Perplexity employee, or an insider threat would instantly grant attackers unprecedented control through the browser over every Comet user’s device,” the report notes.
“This creates a catastrophic third-party risk where users have subjected their device security to Perplexity’s security posture, with no easy way to assess or mitigate the risk.”
SquareX also showed a demo in which researchers spoofed a legitimate extension, downloaded it into the browser, and injected a script into the perplexity.ai page. This invoked the Agentic extension which ultimately used MCP to run WannaCry.
“Although the demo exploits extension stomping, other techniques such as XSS, MitM network attacks that exploit perplexity.ai, or embedded extensions can also lead to the same result.”
We have contacted Perplexity about these findings and will update the article when we receive a response.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
