SquareX researchers discovered a critical vulnerability in **Comet**, Perplexity’s AI-powered agentic browser, where hidden built-in extensions (**Comet Analytics** and **Comet Agentic**) exploit the **MCP API** to execute arbitrary commands on a user’s device. The API, accessible via Perplexity’s subdomains, could be hijacked by attackers through **XSS, MitM, or extension stomping** (spoofing the Analytics Extension’s manifest key) to deploy **ransomware**, exfiltrate data, or install malware. Though Perplexity silently patched the issue by disabling the MCP API after public disclosure, the lack of transparency and user control over these extensions poses ongoing risks. The flaw highlights how AI browsers, bypassing traditional sandboxing, expand attack surfaces by granting deep system access—potentially enabling full device takeover if exploited. Researchers warn this sets a dangerous precedent for AI-driven software prioritizing innovation over security boundaries.
Source: https://www.helpnetsecurity.com/2025/11/20/perplexity-comet-browser-security-mcp-api/
Perplexity cybersecurity rating report: https://www.rankiteo.com/company/perplexity-ai
"id": "PER2892328112025",
"linkid": "perplexity-ai",
"type": "Vulnerability",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'All Comet Browser users (exact '
'number undisclosed)',
'industry': 'AI/Software',
'name': 'Perplexity AI (Comet Browser)',
'type': 'Technology Company'}],
'attack_vector': ['Cross-Site Scripting (XSS)',
'Man-in-the-Middle (MitM)',
'Extension Stomping (Manifest Key Spoofing)',
'Domain Compromise (perplexity.ai subdomains)'],
'data_breach': {'data_exfiltration': 'Potential (demonstrated in attack '
'scenario)',
'personally_identifiable_information': 'Potential (if '
'attackers leverage '
'API to access local '
'files)',
'sensitivity_of_data': 'High (local device access)',
'type_of_data_compromised': ['Local system files',
'Potential PII (if '
'exfiltrated)']},
'date_detected': '2025-11-04',
'date_publicly_disclosed': '2025-11-19',
'date_resolved': '2025-11-19',
'description': 'SquareX researchers discovered a critical security flaw in '
"Comet, Perplexity's AI-powered agentic browser. The browser's "
'hidden built-in extensions (Comet Analytics and Comet '
'Agentic) leverage the MCP API '
'(chrome.perplexity.mcp.addStdioServer) to execute arbitrary '
'commands on the host machine. Attackers exploiting this via '
'XSS, MitM, or extension stomping could install malware, '
'exfiltrate data, or deploy ransomware. The MCP API was '
'silently disabled in a post-disclosure update, but concerns '
'remain about transparency and potential reactivation.',
'impact': {'brand_reputation_impact': 'High (security community scrutiny; '
'concerns over transparency and user '
'consent)',
'data_compromised': ['Local files',
'System data',
'User activity logs (potential)'],
'identity_theft_risk': 'High (if attackers exfiltrate local '
'files/PII)',
'operational_impact': 'Potential loss of user trust; silent patch '
'may affect undisclosed agentic workflows '
'relying on MCP API',
'systems_affected': ['Comet Browser (AI-powered agentic browser by '
'Perplexity)']},
'initial_access_broker': {'backdoors_established': 'Potential (via MCP API '
'persistence)',
'entry_point': ['Comet Analytics/Comet Agentic '
'extensions (hidden)',
'perplexity.ai subdomains'],
'high_value_targets': ['Local system files',
'User credentials',
'Installed applications']},
'investigation_status': 'Partially Resolved (MCP API disabled; long-term '
'fixes pending)',
'lessons_learned': ['AI browsers break traditional sandboxing models, '
'increasing attack surface.',
'Hidden extensions with privileged APIs pose transparency '
'risks.',
'Silent patches without disclosure erode user trust.',
'Industry needs boundaries for AI browser capabilities to '
'avoid bypassing security principles.'],
'post_incident_analysis': {'corrective_actions': ['Disabled MCP API '
'(temporary fix)',
'Expected: Public '
'documentation of API usage '
'and risks',
'Expected: User-facing '
'controls for privileged '
'extensions'],
'root_causes': ['Lack of extension '
'visibility/control for users',
'Overprivileged hidden extensions '
'with system-level access',
'Insufficient API documentation '
'and use-case justification',
'Silent updates without '
'transparency']},
'ransomware': {'data_encryption': 'Demonstrated in hypothetical attack '
'(malicious extension invoking MCP API to '
'execute ransomware)',
'data_exfiltration': 'Potential (as part of ransomware attack '
'chain)'},
'recommendations': ['Disable local MCP API permanently or restrict to minimal '
'necessary functionality.',
'Inform users about privileged extensions and provide '
'opt-out mechanisms.',
'Document all high-risk APIs and their intended use '
'cases.',
'Implement public vulnerability disclosure processes.',
'Conduct third-party security audits for AI-powered '
'browsers.'],
'references': [{'date_accessed': '2025-11-19',
'source': 'Help Net Security',
'url': 'https://www.helpnetsecurity.com/'},
{'date_accessed': '2025-11-19',
'source': 'SquareX Research Report'}],
'response': {'communication_strategy': 'Limited (no public documentation of '
'patch; researchers notified on '
'2025-11-04, no response until '
'post-publication)',
'containment_measures': ['Disabled MCP API via silent update'],
'incident_response_plan_activated': 'Yes (silent patch deployed '
'post-disclosure)',
'third_party_assistance': ['SquareX (research/disclosure)']},
'title': 'Comet Browser MCP API Vulnerability Exposes Users to Arbitrary '
'Command Execution',
'type': ['Vulnerability', 'Privilege Escalation', 'Arbitrary Code Execution'],
'vulnerability_exploited': 'MCP API (chrome.perplexity.mcp.addStdioServer) in '
'hidden Comet extensions (Comet Analytics/Comet '
'Agentic)'}