Palo Alto, California, November nineteenth, 2025, CyberNewsWire
SquareX launched essential analysis exposing a hidden API in Comet that enables extensions within the AI Browser to execute native instructions and acquire full management over customers’ gadgets.
The analysis reveals that Comet has carried out a MCP API (chrome.perplexity.mcp.addStdioServer) that enables its embedded extensions to execute arbitrary native instructions on customers’ gadgets, capabilities that conventional browsers explicitly prohibit.
Concerningly, there’s restricted official documentation on the MCP API.
Present documentation solely covers the intent of the function, with out disclosing that Comet’s embedded extensions have persistent entry to the API and the power to launch native apps arbitrarily with out consumer permission, creating a large breach of consumer belief and transparency.
“For many years, browser distributors have adhered to strict safety controls that forestall browsers, and particularly extensions, from straight controlling the underlying system,” explains Kabilan Sakthivel, Researcher at SquareX.
“Conventional browsers require native messaging APIs with express registry entries and consumer consent for any native system entry. Of their ambition to make the browser extra highly effective, Comet has bypassed all of those safeguards with a hidden API that the majority customers don’t even know exists. This erosion of consumer belief essentially reverses the clock on a long time of browser safety ideas established by distributors like Chrome, Safari, and Firefox.”
Presently, the API is discovered within the Agentic extension, and it may be triggered by the perplexity.ai web page, making a covert channel for Comet to entry native knowledge and launch arbitrary instructions/apps with none consumer management.
Whereas there isn’t a proof that Perplexity is at present misusing the MCP API, the query will not be if however when Perplexity might be compromised.
A single XSS vulnerability, a profitable phishing assault towards a Perplexity worker, or an insider menace would immediately grant attackers unprecedented management by way of the browser over each Comet consumer’s system.
This creates catastrophic third-party danger the place customers have resigned their system safety to Perplexity’s safety posture, with no straightforward technique to assess or mitigate the danger.
In SquareX’s assault demo, the analysis workforce used extension stomping to disguise a malicious extension because the embedded Analytics Extension by spoofing its extension ID.
As soon as sideloaded, the malicious Analytics Extension injects a script into the perplexity.ai web page, which in flip invokes the Agentic Extension which lastly makes use of the MCP to execute WannaCry on the sufferer’s system.
Whereas the demonstration leveraged extension stomping, different methods equivalent to XSS, MitM community assaults that exploits the perplexity.ai or the embedded extensions can even result in the identical consequence.
Extra worryingly, as each extensions are essential to Comet’s agentic performance, Perplexity has hidden them from Comet extension dashboard, stopping customers from disabling them even when they’re compromised.
These embedded extensions turn into a “hidden IT” that safety groups nor customers have zero visibility over. Moreover, because of the lack of documentation, there isn’t a technique to know whether or not or when Comet would possibly broaden entry to different “trusted” websites.
Whereas different AI Browsers even have embedded extensions, we now have solely discovered the MCP API in Comet for now. We now have disclosed the assault to Perplexity, however haven’t heard a response.
Much like the OS and search engine, proudly owning the platform the place the vast majority of trendy work happens has at all times been the grand ambition for a lot of tech corporations. With AI, there’s now the chance to make browsers extra highly effective than ever earlier than.
But, within the race to win the subsequent browser warfare, many AI Browser corporations are delivery options so shortly that it has come at the price of correct documentation and safety measures.
The MCP API exploits function an early warning to the third-party dangers that poor implementation of AI Browsers can expose customers to.
“The early implementation of system management APIs in AI browsers is extraordinarily harmful,” Vivek Ramachandran, Founding father of SquareX emphasizes.
“We’re primarily seeing browser distributors grant themselves, and doubtlessly third events, the type of system-level entry that may require express consumer consent and safety overview in any conventional browser. Customers should know when software program has this degree of management over their gadgets.”
With out demand for accountability from customers and the safety group, different AI browsers will race to implement comparable, or extra invasive, capabilities to stay aggressive.
SquareX is asking on AI browser distributors to mandate disclosure for all APIs, bear third-party safety audits, and supply customers with controls to disable embedded extensions. This isn’t nearly one API in a single browser.
If the {industry} doesn’t set up boundaries now, we’re setting a precedent the place AI browsers can bypass a long time of safety ideas underneath the banner of innovation.
Demo Video:
For extra data, customers can seek advice from the technical weblog.
About SquareX
SquareX‘s browser extension turns any browser on any system into an enterprise-grade safe browser, together with AI Browsers.
SquareX’s industry-first Browser Detection and Response (BDR) answer empowers organizations to proactively defend towards browser-native threats together with rogue AI brokers, Final Mile Reassembly Assaults, malicious extensions and identification assaults.
In contrast to devoted enterprise browsers, SquareX seamlessly integrates with customers’ present client browsers, delivering safety with out compromising consumer expertise. Customers can discover out extra about SquareX’s research-led innovation at www.sqrx.com.
Contact
Head of PR
Junice Liew
SquareX
[email protected]
