- SquareX accused Perplexity’s Comet browser of exposing a hidden MCP API that could enable local command execution
- Confusion dismissed the claims as “completely false”, stressing that the API requires developer mode, user consent and manual page loading
- SquareX countered, saying that Comet was quietly updated after its proof-of-concept and that outside researchers replicated the attack
Cybersecurity firm SquareX recently accused Perplexity of harboring a major vulnerability in its AI browser, Comet – the latter has now responded, saying the research report is “completely wrong” and part of a growing “false security research” problem.
SquareX had said it found a hidden API in the Comet browser capable of executing local commands. This API, called the MCP API, allows its embedded extensions to execute arbitrary local commands on users’ devices, features that traditional browsers explicitly prohibit.
SquareX said it found the API in the Agentic extension that can be triggered by the perplexity.ai site, meaning that if someone were to break into the Perplexity site, they would have access to all of its users’ devices.
Confusion’s answer
For Kabilan Sakthivel, a researcher at SquareX, failing to adhere to the strict security controls the industry evolved into “turns the clock on decades of browser security principles established by vendors like Chrome, Safari and Firefox.”
But Perplexity begs to differ, noting in a written response sent to TechRadar Pro by spokesperson Jesse Dwyer that the report is “completely false.”
The company added that the vulnerability requires a human to do the work, not Comet Assistant, and it requires developer mode to be turned on.
“To replicate this, the human user must enable developer mode and manually sideload malware into Comet,” it said.
Perplexity also said that Comet not explicitly obtaining user consent for any local system access is “categorically false”.
“When we deploy local MCPs, we require user consent—it’s users who set it up and call the MCP API. They specify exactly what command to run,” Dwyer wrote. “Any further commands from the MCP (eg AI tool calls) also require user confirmation.”
Furthermore, Perplexity says that what SquareX describes as a “hidden API” is actually “simply how Comet can run MCPs locally,” with permission and user consent obtained first.
“This is the second time SquareX has presented fake security research. The first one we also proved was fake,” he stressed.
Dwyer also claims that SquareX did not submit a report as it claims. “Instead, they sent a link to a Google doc with no context and no access. We informed them we couldn’t open the Google docs, requested access to the Google docs, and never heard back or got access to the documents.”
SquareX is also firing back
But SquareX isn’t backing down either.
The company also said it saw Perplexity make a “silent update” to Comet where the same POC will now return “Local MCP is not enabled”.
It claims to have had three outside researchers replicate the attack and that Perplexity fixed it a few hours ago.
“This is excellent news from a security perspective, and we’re happy that our research could help make the AI browser more secure,” SquareX concluded, adding that it didn’t hear back from Plerplexity about its VDP submission.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
