By Zeljka Zorz
Publication Date: 2025-11-20 15:39:00
There is a serious security problem inside Comet, the AI-powered agentic browser made by Perplexity, SquareX researchers say: Comet’s MCP API allows the browser’s built-in (but hidden from the user) extensions to issue commands directly to a user’s device, and the capability can be leveraged by attackers.
Comet can run applications, read files and modify data on the local system. “Old-school” browsers normally block this level of access, but (some) AI-powered browsers are effectively braking this isolation layer, the researchers noted.
The problem
SquareX has found two built-in extensions – Comet Analytics and Comet Agentic – that don’t appear in the browser’s extensions panel and are thus effectively hidden from users and can’t be disabled by them.
“In our exploration, we came across an MCP API (chrome.perplexity.mcp.addStdioServer) that allows the [Comet Agentic] to execute arbitrary commands on the host machine,” the researchers shared.
“Currently, both extensions can only communicate with perplexity.ai subdomains limiting the access of MCP API to said subdomains. However, given the limited official documentation, it is unclear how the MCP API is being used, as well as if and when this privilege is extended to other ‘trusted’ sites.”
They noted that if an attacker gains access to the perplexity.ai domain or an eligible embedded extension – for example, through a XSS attack or MitM network attack – they could use the MCP…
