New research out today from browser security company SquareX Ltd. is warning of a hidden application programming interface in Perplexity AI Inc.’s Comet browser that allows extensions in the artificial intelligence browser to execute local commands and gain full control over users’ devices.

The problem arises due to Comet having a Model Context Protocol API that allows its embedded extensions to execute arbitrary local commands on users’ devices, capabilities that traditional browsers explicitly prohibit.

Added to the mix is that there is limited official documentation on the MCP API and that the documentation that does exist only covers the intent of the feature. The documentation does not disclose that Comet’s embedded extensions have persistent access to the API and the ability to launch local apps arbitrarily without user permission, creating what SquareX calls a massive breach of user trust and transparency.

“For decades, browser vendors have adhered to strict security controls that prevent browsers, and especially extensions, from directly controlling the underlying device,” explains Kabilan Sakthivel, a researcher at SquareX. “Traditional browsers require native messaging APIs with explicit registry entries and user consent for any local system access.”

Sakthivel added that “in their ambition to make the browser more powerful, Comet has bypassed all of these safeguards with a hidden API that most users don’t even know exists. This erosion of user trust fundamentally reverses the clock on decades of browser security principles established by vendors like Chrome, Safari and Firefox.”

The API is found in Comet’s Agentic extension and can be triggered by the Perplexity webpage to create a covert channel for Comet to access local data and launch arbitrary commands/apps without any user control.

Though SquareX does note that there is no evidence that Perplexity is misusing the MCP API, the issue is that others could. A single cross-site scripting vulnerability, a successful phishing attack against a Perplexity employee, or an insider threat would instantly grant attackers unprecedented control via the browser over every Comet user’s device.

SquareX describes the potential of exploitation as a “catastrophic third-party risk” where users have resigned their device security to Perplexity’s security posture, with no easy way to assess or mitigate the risk.

The company has put together an attack demo where its research team used extension stomping to disguise a malicious extension as the embedded Analytics Extension by spoofing its extension ID.

Once sideloaded, the malicious Analytics Extension injects a script into the Perplexity webpage, which in turn invokes the Agentic Extension, which finally uses the MCP to execute WannaCry ransomware on the victim’s device.

The demo uses so-called leveraged extension stomping — meaning evasion techniques attackers use to hide their activities. But SquareX notes that other techniques such as XSS, man-in-the-middle network attacks that exploit Perplexity’s webpage, or the embedded extensions can also lead to the same result.

The extensions were also hidden from the Comet extension dashboard preventing users from disabling them even if they are compromised, becoming “hidden IT” that neither security teams nor users have visibility over.

Perplexity was approached by SquareX before the research was released but had declined to comment.

SquareX says the MCP API exploit serves as an early warning to the third-party risks that poor implementation of AI browsers can expose users to.

“The early implementation of device control APIs in AI browsers is extremely dangerous,” said SquareX ounder Vivek Ramachandran. “We’re essentially seeing browser vendors grant themselves and potentially third parties the kind of system-level access that would require explicit user consent and security review in any traditional browser. Users deserve to know when software has this level of control over their devices.”

Image: SquareX