- SquareX accused Perplexity’s Comet browser of exposing a hidden MCP API that could enable local command execution
- Perplexity rejected the claims as “entirely false,” stressing the API requires developer mode, user consent, and manual sideloading
- SquareX countered, saying Comet was silently updated after its proof‑of‑concept, and that external researchers replicated the attack
Cybersecurity company SquareX recently accused Perplexity of keeping a major vulnerability in its AI browser, Comet – the latter has now responded, saying the research report is “entirely false” and part of a growing “fake security research” problem.
SquareX had said it found a hidden API in the Comet browser, capable of executing local commands. That API, named MCP API, allows its embedded extensions to execute arbitrary local commands on users’ devices, capabilities that traditional browsers explicitly prohibit.
SquareX said it found the API in the Agentic extension, which can be triggered by the perplexity.ai page, meaning that should anyone break into the Perplexity site, they will have access to devices of all of its users.
Perplexity’s response
For Kabilan Sakthivel, Researcher at SquareX, not adhering to strict security controls the industry evolved to, “reverses the clock on decades of browser security principles established by vendors like Chrome, Safari and Firefox.”
But Perplexity begs to differ, noting in a written response sent to TechRadar Pro by spokesperson Jesse Dwyer that the report is “entirely false”.
The company added the vulnerability requires a human to do the work, not the Comet Assistant, and it requires the developer mode to be turned on.
“To replicate this, the human user must turn on developer mode and manually sideload malware into Comet,” it said.
Perplexity also said that Comet not explicitly obtaining user consent for any local system access is “categorically false”.
“When installing local MCPs we require user consent–users are the ones setting it up and calling the MCP API. They specify exactly what command to run,” Dwyer wrote. “Any additional command from the MCP (ex. AI tool calling) also requires user confirmation.”
Furthermore, Perplexity says that what SquareX describes as a “hidden API” is in fact “simply how Comet can run MCPs locally”, with permission and user consent first obtained.
“This is SquareX’s second time presenting false security research. The first one we also proved was false,” he stressed.
Dwyer also claims SquareX did not submit a report as it claims. “Instead, they sent a link to a Google doc, with no context, and no access. We informed them we were unable to open the Google docs, requested access to the google docs, and never heard a reply nor were granted access to the docs.”
SquareX also fires back
But SquareX isn’t backing down, either.
The company also said it spotted Perplexity making a “silent update” to Comet, in which the same POC will now return “Local MCP is not enabled”.
It claims to have had three external researchers replicate the attack, and that Perplexity fixed it a few hours ago.
“This is excellent news from a security perspective and we are glad that our research could contribute to making the AI Browser safer,” SquareX concluded, adding that it did not hear back from Plerplexity on its VDP submission.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
