- SquareX discovered hidden MCP API in the Comet browser that enabled arbitrary local command execution
- Vulnerability in Agentic extension could let attackers hijack devices via compromised perplexity.ai site
- The demo showed WannaCry execution; researchers warn that catastrophic third-party risk is inevitable
Cyber security experts at SquareX claim to have found a major vulnerability in Comet, the AI browser built by Perplexity, which could let threat actors take over the victim’s device completely.
SquareX found that the browser has a hidden API capable of executing local commands (commands on the underlying operating system, as opposed to just the browser).
This API, which the researchers named the MCP API (chrome.perplexity.mcp.addStdioServer), appears to be a custom implementation of a more general “Model Context Protocol,” and “allows its embedded extensions to execute arbitrary local commands on users’ devices, features that traditional browsers explicitly prohibit.”
Just a matter of time
For Kabilan Sakthivel, a researcher at SquareX, failing to adhere to the strict security controls the industry evolved into “turns the clock on decades of browser security principles established by vendors like Chrome, Safari and Firefox.”
SquareX says it found the API in the Agentic extension, which can be triggered by the site perplexity.ai. This means that if someone were to break into the Perplexity website, they would have access to all of its users’ devices.
For the researchers, it is not a question of ‘if’, but rather – ‘when’.
“A single XSS vulnerability, a successful phishing attack against a Perplexity employee, or an insider threat would instantly give attackers unprecedented control via the browser of every Comet user’s device,” their report notes.
“This creates a catastrophic third-party risk where users have surrendered their device security to Perplexity’s security posture, with no easy way to assess or mitigate the risk.”
SquareX also showed a demo where the researchers faked a legitimate extension, sideloaded it into the browser and through it injected a script into the perplexity.ai page. This invoked the Agentic extension, which ultimately used MCP to execute WannaCry.
“While the demonstration exploited extension stamping, other techniques such as XSS, MitM network attacks exploiting perplexity.ai or the embedded extensions can also lead to the same result.”
We’ve contacted Perplexity about these findings and will update the article when we hear back.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
