Browser safety agency SquareX claims to have discovered a doubtlessly crucial vulnerability in Perplexity’s Comet AI browser. Perplexity has taken steps to dam the assault, however has strongly disputed the findings.
SquareX’s controversial analysis is centered round a limited-documentation Mannequin Context Protocol (MCP) API and two hidden Analytics and Agentic extensions which can be utilized by Comet and can’t be disabled.
MCP is usually used to attach AI functions to exterior information sources and instruments. SquareX discovered that the Agentic extension is designed for executing all of Comet’s agentic automation capabilities, whereas the Analytics extension is designed for amassing and processing browser information and monitoring the actions of the Agentic extension.
SquareX found that each extensions can solely talk with ‘perplexity.ai’ subdomains and the entry of the API is restricted to those subdomains.
Nonetheless, based on SquareX, if an attacker can achieve entry to the ‘perplexity.ai’ area or compromise the agentic extension, they will abuse the MCP API to execute instructions on the host gadget with out requesting the person’s permission. This allows the attacker to take management of the sufferer’s gadget and execute ransomware, monitor person exercise, or exfiltrate information, SquareX warned.
The browser safety agency has admitted that to launch an assault, a menace actor would want to hijack an extension by an XSS or MitM community assault, or achieve entry to Perplexity methods to compromise the extension.
In an assault demonstration, SquareX researchers used a way referred to as ‘extension stomping’, which includes making a malicious extension that impersonates the respectable Comet analytics extension and sideloading it. They confirmed how the assault can be utilized to deploy ransomware.
SquareX mentioned it reported its findings to Perplexity on November 4, nevertheless it had not obtained any response by the point of disclosure. Commercial. Scroll to proceed studying.
Contacted by SecurityWeek, Perplexity mentioned it did implement some measures to forestall the assault methodology described by SquareX out of an abundance of warning, however described it as “pretend safety analysis”.
“This complete state of affairs is contrived and doesn’t characterize any precise expertise safety threat,” defined a Perplexity spokesperson. “If it’s a threat in any respect, it’s a threat of people being phished and satisfied to manually load malware, however even they admit that’s unrealistic and it must be a Perplexity worker with manufacturing entry who modifications the present extension for a nasty one.”
Perplexity identified that SquareX’s video demonstration reveals the assault requiring important human intervention.
The browser vendor has additionally disputed claims that Comet doesn’t explicitly get hold of person consent for native system actions. The corporate contends that customers should conform to putting in native MCPs, and any subsequent command from the MCP requires person affirmation.
Perplexity mentioned it’s not conscious of any assaults geared toward Comet customers and identified that it does work with safety researchers to proactively determine and patch potential vulnerabilities. Nonetheless, the corporate mentioned that whereas SquareX did attain out, its bug report couldn’t be accessed, and the safety agency didn’t reply to requests for entry to the vulnerability info.
In response to Perplexity’s feedback, SquareX identified that whereas the extension stomping approach it utilized in its demonstration does require person interplay, its level was to reveal the permissions and inherent threat of the MCP API. The corporate famous that different assault vectors, corresponding to provide chain compromise, XSS, or MitM assaults, would require much less person interplay.
SquareX additionally mentioned that in its experiments its researchers had been by no means prompted for permission and that the ransomware was instantly executed after the Comet browser was reopened.
SquareX famous that Perplexity’s patch is “good news from a safety perspective and we’re glad that our analysis might contribute to creating the AI Browser safer”.
Associated: Hackers Goal Perplexity Comet Browser Customers
Associated: LayerX Raises $11 Million for Browser Safety Answer
Associated: AI Sidebar Spoofing Places ChatGPT Atlas, Perplexity Comet and Different Browsers at Threat
