Browser security firm SquareX claims to have found a potentially critical vulnerability in Perplexity’s Comet AI browser. Perplexity has taken steps to block the attack, but has strongly disputed the findings.
SquareX’s controversial research is centered around a limited-documentation Model Context Protocol (MCP) API and two hidden Analytics and Agentic extensions that are used by Comet and cannot be disabled.
MCP is typically used to connect AI applications to external data sources and tools. SquareX found that the Agentic extension is designed for executing all of Comet’s agentic automation capabilities, while the Analytics extension is designed for collecting and processing browser data and monitoring the actions of the Agentic extension.
SquareX discovered that both extensions can only communicate with ‘perplexity.ai’ subdomains and the access of the API is limited to these subdomains.
However, according to SquareX, if an attacker can gain access to the ‘perplexity.ai’ domain or compromise the agentic extension, they can abuse the MCP API to execute commands on the host device without requesting the user’s permission. This enables the attacker to take control of the victim’s device and execute ransomware, monitor user activity, or exfiltrate data, SquareX warned.
The browser security firm has admitted that to launch an attack, a threat actor would need to hijack an extension through an XSS or MitM network attack, or gain access to Perplexity systems to compromise the extension.
In an attack demonstration, SquareX researchers used a technique called ‘extension stomping’, which involves creating a malicious extension that impersonates the legitimate Comet analytics extension and sideloading it. They showed how the attack can be used to deploy ransomware.
SquareX said it reported its findings to Perplexity on November 4, but it had not received any response by the time of disclosure.
Contacted by SecurityWeek, Perplexity said it did implement some measures to prevent the attack method described by SquareX out of an abundance of caution, but described it as “fake security research”.
“This entire scenario is contrived and doesn’t represent any actual technology security risk,” explained a Perplexity spokesperson. “If it is a risk at all, it is a risk of humans being phished and convinced to manually load malware, but even they admit that’s unrealistic and it would have to be a Perplexity employee with production access who changes the existing extension for a bad one.”
Perplexity pointed out that SquareX’s video demonstration shows the attack requiring significant human intervention.
The browser vendor has also disputed claims that Comet does not explicitly obtain user consent for local system actions. The company contends that users must agree to installing local MCPs, and any subsequent command from the MCP requires user confirmation.
Perplexity said it’s not aware of any attacks aimed at Comet users and pointed out that it does work with security researchers to proactively identify and patch potential vulnerabilities. However, the company said that while SquareX did reach out, its bug report could not be accessed, and the security firm did not respond to requests for access to the vulnerability information.
In response to Perplexity’s comments, SquareX pointed out that while the extension stomping technique it used in its demonstration does require user interaction, its point was to demonstrate the permissions and inherent risk of the MCP API. The company noted that other attack vectors, such as supply chain compromise, XSS, or MitM attacks, would require less user interaction.
SquareX also said that during its experiments its researchers were never prompted for permission and that the ransomware was immediately executed after the Comet browser was reopened.
SquareX noted that Perplexity’s patch is “excellent news from a security perspective and we are glad that our research could contribute to making the AI Browser safer”.
Related: Hackers Target Perplexity Comet Browser Users
Related: LayerX Raises $11 Million for Browser Security Solution
Related: AI Sidebar Spoofing Puts ChatGPT Atlas, Perplexity Comet and Other Browsers at Risk
