Potential Security Risk Identified in Perplexity’s Comet AI Browser

Browser security firm SquareX has published new research claiming to uncover a potentially serious security weakness in Perplexity’s Comet AI browser. While Perplexity disputes the findings, it has implemented precautionary defenses while denying that the reported issue represents a meaningful real-world threat.

Overview of the Reported Vulnerability

SquareX’s analysis focuses on the Model Context Protocol (MCP) — a protocol used to connect AI tools with external data and system resources.

According to SquareX, Comet contains two built-in, non-disableable extensions:

• Agentic Extension – executes Comet’s automation and system-interaction capabilities

• Analytics Extension – collects browser telemetry and monitors agentic actions

Both extensions communicate exclusively with Perplexity-owned subdomains, and the MCP API only accepts requests from these domains.

SquareX argues that if an attacker compromised the perplexity.ai domain or hijacked one of these extensions, they could potentially use MCP to execute unauthorized commands on a user’s local machine.

The firm claims these commands could theoretically enable:

• Remote code execution

• Ransomware deployment

• Data exfiltration

• System monitoring

SquareX’s Demonstrated Attack Scenario

To illustrate the risk, SquareX used an experimental technique known as extension stomping.

This involves:

1. Creating a malicious extension spoofing the legitimate Comet analytics extension

2. Manually sideloading it

3. Using it to issue MCP commands

In their demo, the malicious extension executed a ransomware payload when the browser reopened.

However, SquareX acknowledges that this method requires significant user interaction and would typically not occur without phishing or a compromised supply chain.

Perplexity’s Response

Perplexity strongly rejected SquareX’s conclusions, categorizing the scenario as "fake security research" and emphasizing that:

• The demonstrated attack depends on a user manually installing malware

• Comet does obtain user consent for local action through MCP confirmations

• The exploit requires unrealistic levels of insider access or user participation

Perplexity did, however, deploy additional safeguards “out of an abundance of caution.”

The company also said:

• It received SquareX’s outreach but could not access the provided bug report

• SquareX did not reply to Perplexity’s follow-up requests

• No evidence suggests real-world exploitation

SquareX’s Follow-Up Statement

SquareX maintains that its research highlights broader risks associated with MCP permissions, not just the demonstrated attack.

It argues that other vectors — such as supply chain compromise, XSS injections, or MitM attacks — could exploit the same underlying permissions with less user interaction.

The company also claims that during testing:

• No permission prompts appeared

• The ransomware executed immediately upon reopening Comet

Despite the public disagreement, SquareX acknowledged that Perplexity’s new security measures are “excellent news” and improve the browser’s overall security posture.