SquareX Alleges Critical Comet Browser Flaw, Perplexity Calls Research “Fake”
A heated dispute has erupted between browser security firm SquareX and AI company Perplexity following claims of a potentially critical security flaw in the Comet AI browser. SquareX says the vulnerability could allow attackers to execute local commands through a hidden API, while Perplexity insists the research is misleading and does not represent a real-world threat.
SquareX Claims Hidden API Could Allow Device Takeover
SquareX’s report focuses on the Model Context Protocol (MCP) used by Comet to connect AI capabilities with external tools and data. According to the firm, Comet includes two undocumented extensions—Agentic and Analytics—that cannot be disabled:
- Agentic executes automation tasks.
- Analytics monitors browser activity and tracks Agentic actions.
Both extensions communicate exclusively with perplexity.ai subdomains, suggesting a controlled environment. However, SquareX argues that if an attacker compromises this domain or exploits the Agentic extension, they could abuse the MCP API to execute commands on a user’s device—potentially enabling ransomware deployment, data theft, or remote monitoring.
SquareX acknowledges that the attacker would need an entry point, such as:
- A compromised Perplexity system,
- An XSS or man-in-the-middle attack, or
- Exploiting the browser through an impersonated extension.
Proof of Concept Raises Concerns
In a demonstration, researchers used “extension stomping,” a method where a malicious extension impersonates Comet’s legitimate analytics extension. By sideloading it, they showed how ransomware could be triggered once the browser reopened.
SquareX said it notified Perplexity on November 4, claiming the company had not responded before public disclosure.
Perplexity: “This Is Fake Security Research”
Perplexity strongly rejected the findings, stating that the scenario presented by SquareX relies heavily on unrealistic user actions.
A company spokesperson told SecurityWeek:
“This entire scenario is contrived and doesn’t represent any actual technology security risk.”
Perplexity emphasized:
- The attack shown in SquareX’s video requires significant human interaction, such as manually loading a malicious extension.
- Comet does request user consent before installing local MCPs or executing local commands.
- The company has found no evidence of exploitation targeting Comet users.
Perplexity added that while SquareX did contact them, the bug report was inaccessible, and the researchers did not respond to follow-up requests for more details.
SquareX Defends Findings, Welcomes Perplexity’s Patch
SquareX maintains that the intention of its research was to highlight the permissions and inherent risks associated with MCP rather than promote a specific attack vector. The company says its demonstration proves how powerful the API is and that alternative exploits—such as supply chain attacks or XSS vulnerabilities—would require far less user interaction.
SquareX further claims that during its testing, no permission prompts appeared, and the ransomware payload launched immediately when Comet restarted.
Despite Perplexity’s criticism, SquareX welcomed the company’s security updates, calling them “excellent news” and noting that the patch contributes to a safer AI browser environment.
