- SquareX discovered hidden MCP API in Comet browser enabling arbitrary local command execution
- Vulnerability in Agentic extension could let attackers hijack devices via compromised perplexity.ai site
- Demo showed WannaCry execution; researchers warn catastrophic third‑party risk is inevitable
Cybersecurity experts at SquareX claims to have found a major vulnerability in Comet, the AI browser built by Perplexity, which could let threat actors take over the victim’s device, entirely.
SquareX found the browser has a hidden API capable of executing local commands (commands on the underlying operating system, as opposed to just the browser).
That API, which the researchers named as MCP API (chrome.perplexity.mcp.addStdioServer), appears to be a custom implementation of a more general “Model Context Protocol”, and “allows its embedded extensions to execute arbitrary local commands on users’ devices, capabilities that traditional browsers explicitly prohibit.”
Just a matter of time
For Kabilan Sakthivel, Researcher at SquareX, not adhering to strict security controls the industry evolved to, “reverses the clock on decades of browser security principles established by vendors like Chrome, Safari and Firefox.”
SquareX says it found the API in the Agentic extension, which can be triggered by the perplexity.ai page. That means, should anyone break into the Perplexity site, they will have access to devices of all of its users.
For the researchers, this is not a question of ‘if’, but rather – ‘when’.
“A single XSS vulnerability, a successful phishing attack against a Perplexity employee, or an insider threat would instantly grant attackers unprecedented control via the browser over every Comet user’s device,” their report notes.
“This creates catastrophic third-party risk where users have resigned their device security to Perplexity’s security posture, with no easy way to assess or mitigate the risk.”
SquareX also showed a demo in which the researchers spoofed a legitimate extension, sideloaded it into the browser, and through it injected a script into the perplexity.ai page. This invoked the Agentic extension which, ultimately, used MCP to execute WannaCry.
“While the demonstration leveraged extension stomping, other techniques such as XSS, MitM network attacks that exploit the perplexity.ai or the embedded extensions can also lead to the same result.”
We have reached out to Perplexity about these findings and will update the article when we hear back.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
