- SquareX accused Perplexity’s Comet browser of exposing a hidden MCP API that could enable local command execution
- Perplexity dismissed these claims as “completely false”, noting that the API requires developer mode, user consent and manual loading.
- SquareX responded by saying that Comet was quietly updated after the proof of concept and that third-party researchers had replicated the attack.
Cybersecurity firm SquareX recently accused Perplexity of hiding a serious vulnerability in its Comet AI browser. The latter responded by saying the investigative report was “completely false” and part of a growing problem of “false security investigations”.
SquareX said it has found a hidden API in the Comet Browser that can run local commands. This API, called the MCP API, allows native extensions to execute arbitrary local commands on users’ devices, functionality that traditional browsers explicitly prohibit.
SquareX said it has found the API in the Agentic extension, which can be activated through the perplexity.ai website, meaning anyone who logs into the Perplexity website will have access to all users’ devices.
The answer to your doubts
Kabilan Sakthivel, a researcher at SquareX, said failure to adhere to strict industry security controls “signals the end of decades of browser security principles established by vendors such as Chrome, Safari and Firefox.”
The company added that the vulnerability requires a human, not Comet Assistant, to work, and that developer mode must be enabled.
“To reproduce it, the human user has to enable developer mode and manually upload malware to Comet,” he says.
Perplexity also stated that it is “categorically false” that Comet is not explicitly granted user permission to access the local system.
“When we install local MCPs, we need user permissions: users are the ones who configure and call the MCP API. They specify exactly which command to run,” Dwyer wrote. “All additional MCP commands (eg calling an AI tool) also require user confirmation.”
Furthermore, Perplexity claims that what SquareX describes as a “hidden API” is actually “simply how the Comet MCP can be run locally,” which requires permission and permission from the user first.
“This is the second time SquareX has submitted a false security investigation. The first, which we also proved, was false,” he said.
Dwyer also alleges that SquareX failed to file a required report. “Instead, they sent a link to a Google Doc with no context or access. We told them we couldn’t open Google Docs, requested access to Google Docs, and never got a response or access to the documents.”
SquareX also responds
But SquareX isn’t giving up either.
The company also said it discovered Perplexity during a “silent update” of Comet, where the same POC now returns “Local MCP is not enabled.”
Allegedly, three third-party researchers replicated the attack and Perplexity fixed it a few hours ago.
“From a security perspective, this is great news and we’re excited that our research can help make the AI browser more secure,” SquareX concluded, adding that it had not received a response from Plerplexity to its VDP request.