Obscure MCP API in Comet Browser Breaches User Trust, Enabling Full Device Control via AI Browsers

Palo Alto, California, November 19th, 2025/CyberNewsWire/--SquareX released critical research exposing a hidden API in Comet that allows extensions in the AI Browser to execute local commands and gain full control over users' devices.

The research reveals that Comet has implemented a MCP API (chrome.perplexity.mcp.addStdioServer) that allows its embedded extensions to execute arbitrary local commands on users' devices, capabilities that traditional browsers explicitly prohibit.

Concerningly, there is limited official documentation on the MCP API. Existing documentation only covers the intent of the feature, without disclosing that Comet’s embedded extensions have persistent access to the API and the ability to launch local apps arbitrarily without user permission, creating a massive breach of user trust and transparency.

\

Currently, the API is found in the Agentic extension, and it can be triggered by the perplexity.ai page, creating a covert channel for Comet to access local data and launch arbitrary commands/apps without any user control. While there is no evidence that Perplexity is currently misusing the MCP API, the question is not if but when Perplexity will be compromised.

A single XSS vulnerability, a successful phishing attack against a Perplexity employee, or an insider threat would instantly grant attackers unprecedented control via the browser over every Comet user's device. This creates catastrophic third-party risk where users have resigned their device security to Perplexity's security posture, with no easy way to assess or mitigate the risk.

In SquareX’s attack demo, the research team used extension stomping to disguise a malicious extension as the embedded Analytics Extension by spoofing its extension ID.

Once sideloaded, the malicious Analytics Extension injects a script into the perplexity.ai page, which in turn invokes the Agentic Extension which finally uses the MCP to execute WannaCry on the victim’s device. While the demonstration leveraged extension stomping, other techniques such as XSS, MitM network attacks that exploits the perplexity.ai or the embedded extensions can also lead to the same result.

More worryingly, as both extensions are critical to Comet’s agentic functionality, Perplexity has hidden them from Comet extension dashboard, preventing users from disabling them even if they are compromised. These embedded extensions become a “hidden IT” that security teams nor users have zero visibility over. Furthermore, due to the lack of documentation, there is no way to know whether or when Comet might expand access to other "trusted" sites.

While other AI Browsers also have embedded extensions, we have only found the MCP API in Comet for now. We have disclosed the attack to Perplexity, but have not heard a response. 

Similar to the OS and search engine, owning the platform where the majority of modern work occurs has always been the grand ambition for many tech companies. With AI, there is now the opportunity to make browsers more powerful than ever before. Yet, in the race to win the next browser war, many AI Browser companies are shipping features so quickly that it has come at the cost of proper documentation and security measures. 

\ Without demand for accountability from users and the security community, other AI browsers will race to implement similar, or more invasive, capabilities to remain competitive. SquareX is calling on AI browser vendors to mandate disclosure for all APIs, undergo third-party security audits, and provide users with controls to disable embedded extensions.

This isn't just about one API in one browser. If the industry doesn't establish boundaries now, we're setting a precedent where AI browsers can bypass decades of security principles under the banner of innovation. 

Demo Video: https://youtu.be/qJl4XllT-9M 

For more information, users can refer to the technical blog.

About SquareX

SquareX's browser extension turns any browser on any device into an enterprise-grade secure browser, including AI Browsers. SquareX's industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively defend against browser-native threats including rogue AI agents, Last Mile Reassembly Attacks, malicious extensions and identity attacks.

Unlike dedicated enterprise browsers, SquareX seamlessly integrates with users' existing consumer browsers, delivering security without compromising user experience. Users can find out more about SquareX’s research-led innovation at www.sqrx.com.

Contact

Head of PR

Junice Liew

SquareX

junice@sqrx.com

:::tip This story was published as a press release by Cybernewswire under HackerNoon’s Business Blogging Program. Do Your Own Research before making any financial decision.

:::

\ \