In a revelation that’s likely to ignite the next major security debate in the AI browser race, cybersecurity firm SquareX has exposed a powerful, undocumented API inside the Comet browser (Perplexity’s AI browser) that allows embedded extensions to run arbitrary local commands—effectively granting full device control.
This API, part of the Model Context Protocol (MCP) ecosystem, isn’t just rare—it’s fundamentally at odds with decades of browser security standards upheld by Chrome, Firefox, Safari, Edge, and every modern browser that treats local system access as radioactive without explicit user consent.
According to SquareX’s research team, Comet’s hidden API—
chrome.perplexity.mcp.addStdioServer —provides the exact sort of unrestricted local execution that browsers have historically banned.
And most Comet users have absolutely no idea it exists.
“In their ambition to make the browser more powerful, Comet has bypassed safeguards that have existed for decades,” said Kabilan Sakthivel, Researcher at SquareX.
“This reverses years of security principles designed to protect users from exactly this type of local command execution.”
A Browser API With OS-Level Powers—But Zero Transparency
SquareX found that the MCP API:
- lives inside Comet’s internal Agentic extension
- can be triggered directly by the perplexity.ai webpage
- allows embedded extensions to launch apps, execute commands, and access local data
- is not documented, not disclosed, and not user-controllable
This creates a covert, persistent channel from the webpage to a locally privileged extension.
SquareX emphasizes that there is no evidence Perplexity is currently abusing the API—but that’s beside the point. The attack surface is immense. All it would take is:
- one XSS bug on perplexity.ai
- one hijacked employee account
- one malicious update
- one insider threat
And attackers would gain fully privileged command execution through a browser tab.
That’s not hypothetical risk—that’s a catastrophic single point of failure affecting every Comet user.
SquareX’s Demo: From Browser Tab to WannaCry in Seconds
To demonstrate the severity, SquareX performed an attack using extension stomping, disguising a malicious extension as Comet’s embedded Analytics Extension by spoofing its ID.
The chain looked like this:
- Spoofed Analytics Extension injects script into perplexity.ai
- Page triggers Agentic Extension
- Agentic Extension uses hidden MCP API
- MCP executes WannaCry ransomware on the victim device
And this is only one possible chain. SquareX highlights that attackers could also exploit:
- XSS
- man-in-the-middle network attacks
- weaknesses in embedded extensions
- compromised MCP servers
The disturbing part? The extensions required for these chains are hidden from the Comet UI, meaning:
- users cannot disable them
- security teams cannot audit them
- enterprises cannot assess the risk
- there is zero visibility into API permissions
As SquareX puts it, Comet’s internal extensions effectively become “hidden IT.”
A Browser War Misstep: Innovation at the Cost of Security?
The finding highlights a broader pattern across the AI browser boom: vendors racing to capture the “next browser platform” spot while bypassing long-standing security principles.
“We’re watching browsers grant themselves system-level access that would require explicit consent in any traditional browser,” said Vivek Ramachandran, Founder of SquareX.
“Users deserve to know when software has this level of control.”
Browsers have become the central productivity platform of the AI era. With AI agents, autonomous workflows, and local integrations accelerating, vendors are eager to push the boundaries of what a browser can do.
But SquareX warns that unless industry standards are enforced early, we risk a future where AI browsers quietly normalize OS-level privileges without disclosure, oversight, or guardrails.
A Call for Accountability: SquareX Pushes for Industry Standards
SquareX is calling on all AI browser vendors—not just Perplexity—to immediately adopt:
- Full disclosure of all APIs, including privileged or experimental ones
- Third-party security audits
- User controls to disable embedded extensions
- Documented boundaries for local command execution
- Clear permission models for AI extensions and MCP-based features
The MCP API may be the first major warning signal—but it won’t be the last.
AI browsers are rapidly evolving into full-fledged operating environments. And without transparent, enforceable standards, those environments could become ripe for exploitation.
SquareX says it has notified Perplexity about the issue. As of publication, no response has been received.
The Stakes for Enterprises and Users
For security teams, this research suggests:
- AI browsers may be silently bypassing established permission models
- Enterprises may unknowingly expose endpoints to local command execution
- Embedded extensions may lie outside traditional browser management policies
For individual users, the implications are even more direct:
- A web page could potentially trigger applications on your device
- You cannot disable the extensions responsible
- You cannot assess the risk
- You aren’t informed that your browser has OS-level power
If this sounds like a reversal of 20 years of browser security progress, that’s because it is.
The Bottom Line
SquareX’s findings shouldn’t be seen as an indictment of Comet alone—they’re a wake-up call for the entire AI browser ecosystem.
As browsers increasingly become agentic execution environments, the stakes for security, transparency, and permission boundaries are higher than ever.
Innovation doesn’t have to come at the cost of safety—but only if the industry sets (and enforces) the right standards now.
Power Tomorrow’s Intelligence — Build It with TechEdgeAI
