Cybersecurity researchers at SquareX uncovered a critical **vulnerability** in **Comet**, Perplexity’s AI-powered browser, tied to a hidden **MCP API** (chrome.perplexity.mcp.addStdioServer) within the **Agentic extension**. This API allows arbitrary local command execution on users' devices—a capability explicitly banned in traditional browsers like Chrome or Firefox. The flaw stems from weak security controls, exposing users to **full device takeover** if attackers compromise **perplexity.ai** via methods like **XSS, phishing, or insider threats**. SquareX demonstrated the risk by spoofing a malicious extension, injecting a script into perplexity.ai, and leveraging the MCP API to execute **WannaCry ransomware**. The vulnerability creates a **catastrophic third-party risk**, where users’ security depends entirely on Perplexity’s defenses, with no mitigation options. The researchers warned that exploitation is inevitable, given the browser’s deviation from decades of established security principles. A single breach of Perplexity’s infrastructure could grant attackers **unprecedented control** over all Comet users’ devices, enabling large-scale malware deployment, data theft, or system hijacking.
Perplexity cybersecurity rating report: https://www.rankiteo.com/company/perplexity-ai
"id": "PER2362223112125",
"linkid": "perplexity-ai",
"type": "Vulnerability",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'All Comet Browser Users',
'industry': 'AI/Technology (Browser Development)',
'name': 'Perplexity AI',
'type': 'Organization'}],
'attack_vector': ['Malicious Extension (Extension Stomping)',
'Cross-Site Scripting (XSS)',
'Man-in-the-Middle (MitM) Attack',
'Phishing (Perplexity Employee Targeting)',
'Insider Threat'],
'description': 'SquareX discovered a major vulnerability in Comet, the AI '
'browser built by Perplexity, which could allow threat actors '
'to take over a victim’s device entirely. The browser contains '
'a hidden API (named MCP API: '
'chrome.perplexity.mcp.addStdioServer) capable of executing '
'arbitrary local commands on users’ devices—a capability '
'explicitly prohibited by traditional browsers. The '
'vulnerability resides in the Agentic extension, which can be '
'triggered via the perplexity.ai site. A compromise of '
'Perplexity’s site (e.g., via XSS, phishing, or insider '
"threat) could grant attackers control over all Comet users' "
'devices. SquareX demonstrated this by spoofing a legitimate '
'extension, sideloading it, and executing WannaCry via the MCP '
'API. Researchers warn of catastrophic third-party risk due to '
"users' reliance on Perplexity's security posture.",
'impact': {'brand_reputation_impact': 'High (Catastrophic third-party risk '
'exposure, reversal of browser security '
'principles)',
'operational_impact': 'Full device takeover risk for all Comet '
'users via Perplexity site compromise',
'systems_affected': ['Comet Browser (All User Devices)',
'Underlying Operating Systems']},
'initial_access_broker': {'backdoors_established': 'MCP API '
'(chrome.perplexity.mcp.addStdioServer)',
'entry_point': ['Compromised perplexity.ai site',
'Malicious Extension (Agentic)',
'XSS/Phishing/Insider Threat'],
'high_value_targets': "All Comet Browser Users' "
'Devices'},
'investigation_status': 'Ongoing (Pending Response from Perplexity)',
'lessons_learned': 'Adherence to established browser security principles '
'(e.g., Chrome, Safari, Firefox) is critical to prevent '
'arbitrary command execution. Third-party dependencies '
'(e.g., perplexity.ai site) can introduce catastrophic '
'risks if compromised. Custom APIs with elevated '
'privileges must undergo rigorous security reviews.',
'post_incident_analysis': {'root_causes': ['Lack of adherence to browser '
'security principles (e.g., '
'prohibiting arbitrary command '
'execution).',
'Overprivileged custom API (MCP) '
'in Agentic extension.',
'Third-party risk concentration '
'(single point of failure via '
'perplexity.ai).',
'Insufficient extension '
'sandboxing.']},
'ransomware': {'ransomware_strain': 'WannaCry (Demo Only)'},
'recommendations': ['Disable or remove the MCP API in Comet Browser '
'immediately.',
'Implement strict sandboxing for extensions to prevent '
'arbitrary command execution.',
'Conduct third-party security audits for perplexity.ai '
'and embedded extensions.',
'Enforce multi-factor authentication (MFA) for Perplexity '
'employees to mitigate phishing risks.',
'Monitor for extension stomping, XSS, and MitM attacks '
'targeting the Agentic extension.',
'Provide users with transparency tools to assess and '
'mitigate third-party risks.'],
'references': [{'source': 'TechRadar',
'url': 'https://www.techradar.com/news/squarex-discovered-hidden-mcp-api-in-comet-browser-enabling-arbitrary-local-command-execution'}],
'response': {'communication_strategy': ['Media Outreach (TechRadar)',
'Pending Response from Perplexity'],
'third_party_assistance': ['SquareX (Research/Disclosure)']},
'title': 'Hidden MCP API in Comet Browser Enabling Arbitrary Local Command '
'Execution',
'type': ['Vulnerability Exploitation',
'Arbitrary Code Execution',
'Third-Party Risk'],
'vulnerability_exploited': 'Hidden MCP API '
'(chrome.perplexity.mcp.addStdioServer) in Agentic '
'Extension (Arbitrary Local Command Execution)'}