A heated dispute has erupted between browser security firm SquareX and AI search company Perplexity after SquareX published research alleging a critical vulnerability in Perplexity’s Comet AI browser. While Perplexity moved quickly to implement precautionary protections, it has sharply rejected the findings as “fake security research.”
SquareX Warns of Potential Command Execution Through Hidden API
SquareX’s report focuses on Comet’s limited-documentation Model Context Protocol (MCP) API and two internal browser extensions—Agentic and Analytics—that operate behind the scenes and cannot be disabled by the user. MCP is commonly used to let AI applications connect securely to external tools and data sources.
According to SquareX, the Agentic extension powers Comet’s automation features, while the Analytics extension monitors both user behavior and Agentic activity. Although these extensions are restricted to communicating solely with perplexity.ai subdomains, SquareX argues that a sophisticated attacker who compromises that domain or manipulates the agentic extension could exploit the MCP API to run commands directly on a user’s device.
The firm claims such access could theoretically allow ransomware deployment, data theft or persistent device control — all without user approval.
Attack Requires Significant Preconditions, SquareX Admits
SquareX acknowledges the attack is not simple. It would require either a man-in-the-middle attack, an XSS exploit, or direct access to Perplexity systems to tamper with the original extension. In its proof-of-concept demo, researchers used an “extension stomping” method: creating a malicious extension disguised as the legitimate Comet analytics extension and then sideloading it to show how ransomware could be triggered.
The company says it reported the issue to Perplexity on November 4 but received no reply before publicly disclosing its findings.
Perplexity Responds: Research is ‘Contrived’ and Not a Real-World Threat
Perplexity firmly disputes the legitimacy of SquareX’s conclusions. In a statement to SecurityWeek, the company confirmed applying some mitigations “out of an abundance of caution” but dismissed the research as unrealistic.
“This entire scenario is contrived and doesn’t represent any actual technology security risk,” a Perplexity spokesperson said, arguing that SquareX’s demo relies heavily on users being tricked into manually installing malware — or on an insider with production access replacing an extension, a scenario Perplexity says is implausible.
The company also disputes the claim that Comet executes local commands without consent. Perplexity says users must explicitly approve the installation of local MCP components, and any commands issued through those components require separate confirmation.
Perplexity added that while SquareX attempted to submit a bug report, it could not access the information and that follow-up requests to SquareX went unanswered.
SquareX Stands by Findings, Citing Broader Risks
SquareX responded that the purpose of its demo was to highlight the underlying risk posed by the MCP API’s permissions, not to claim that its proof-of-concept reflected the easiest or most likely attack method. The firm said other vectors — such as supply-chain breaches, cross-site scripting, or network-level attacks — would require far less user involvement.
SquareX also reiterated that during testing, its researchers were not prompted for permission before code execution occurred, and that ransomware executed immediately once the browser reopened.
Despite the disagreement, the firm welcomed Perplexity’s defensive update, calling the patch “excellent news” and saying it was pleased its research contributed to improvements in Comet’s security posture.
