Obscure MCP API in Comet Browser Breaches User Trust, Enabling Full Device Control via AI Browsers
None
<p class="sc-iYsSXP hbVeNb"><span><strong>Palo Alto, California, November 19th, 2025, CyberNewsWire</strong></span></p><p></p><div class="code-block code-block-13" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-13-1" data-info="WyIxMy0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="U2hvcnQ=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://www.techstrongevents.com/cruisecon-virtual-west-2025/home?ref=in-article-ad-2&utm_source=sb&utm_medium=referral&utm_campaign=in-article-ad-2" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2025/10/Banner-770x330-social-1.png" alt="Cruise Con 2025"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><p><a target="_blank" rel="nofollow noopener" href="https://sqrx.com/?utm_campaign=28817066-2025%20Nov%20%7C%20PR%20%7C%20YOBB&utm_source=pressrelease&utm_medium=pressrelease">SquareX</a> released critical research exposing a hidden API in Comet that allows extensions in the AI Browser to execute local commands and gain full control over users’ devices. The research reveals that Comet has implemented a MCP API (chrome.perplexity.mcp.addStdioServer) that allows its embedded extensions to execute arbitrary local commands on users’ devices, capabilities that traditional browsers explicitly prohibit. Concerningly, there is limited official documentation on the MCP API. Existing <a target="_blank" rel="nofollow noopener" href="https://www.perplexity.ai/help-center/en/articles/11502712-local-and-remote-mcps-for-perplexity">documentation</a> only covers the intent of the feature, without disclosing that Comet’s embedded extensions have persistent access to the API and the ability to launch local apps arbitrarily without user permission, creating a massive breach of user trust and transparency. </p><blockquote><p>“For decades, browser vendors have adhered to strict security controls that prevent browsers, and especially extensions, from directly controlling the underlying device,” explains Kabilan Sakthivel, Researcher at SquareX. “Traditional browsers require native messaging APIs with explicit registry entries and user consent for any local system access. In their ambition to make the browser more powerful, Comet has bypassed all of these safeguards with a hidden API that most users don’t even know exists. This erosion of user trust fundamentally reverses the clock on decades of browser security principles established by vendors like Chrome, Safari, and Firefox.”</p></blockquote><p>Currently, the API is found in the Agentic extension, and it can be triggered by the perplexity.ai page, creating a covert channel for Comet to access local data and launch arbitrary commands/apps without any user control. While there is no evidence that Perplexity is currently misusing the MCP API, the question is not if but when Perplexity will be compromised. A single XSS vulnerability, a successful phishing attack against a Perplexity employee, or an insider threat would instantly grant attackers unprecedented control via the browser over every Comet user’s device. This creates catastrophic third-party risk where users have resigned their device security to Perplexity’s security posture, with no easy way to assess or mitigate the risk.</p><p>In <a target="_blank" rel="nofollow noopener" href="https://sqrx.com/?utm_campaign=28817066-2025%20Nov%20%7C%20PR%20%7C%20YOBB&utm_source=pressrelease&utm_medium=pressrelease">SquareX</a>’s attack demo, the research team used extension stomping to disguise a malicious extension as the embedded Analytics Extension by spoofing its extension ID. Once sideloaded, the malicious Analytics Extension injects a script into the <a target="_blank" rel="nofollow noopener" href="http://perplexity.ai">perplexity.ai</a> page, which in turn invokes the Agentic Extension which finally uses the MCP to execute WannaCry on the victim’s device. While the demonstration leveraged extension stomping, other techniques such as XSS, MitM network attacks that exploits the perplexity.ai or the embedded extensions can also lead to the same result. </p><p><strong><img decoding="async" src="https://securityboulevard.com/wp-content/uploads/2025/11/yuF4ZMl_1763447257D5CbMHCiGm.jpeg"></strong></p><p>More worryingly, as both extensions are critical to Comet’s agentic functionality, Perplexity has hidden them from Comet extension dashboard, preventing users from disabling them even if they are compromised. These embedded extensions become a “hidden IT” that security teams nor users have zero visibility over. Furthermore, due to the lack of documentation, there is no way to know whether or when Comet might expand access to other “trusted” sites.</p><p>While other AI Browsers also have embedded extensions, we have only found the MCP API in Comet for now. We have disclosed the attack to Perplexity, but have not heard a response. </p><p>Similar to the OS and search engine, owning the platform where the majority of modern work occurs has always been the grand ambition for many tech companies. With AI, there is now the opportunity to make browsers more powerful than ever before. Yet, in the race to win the next browser war, many AI Browser companies are shipping features so quickly that it has come at the cost of proper documentation and security measures. </p><blockquote><p>The MCP API exploits serve as an early warning to the third-party risks that poor implementation of AI Browsers can expose users to. “The early implementation of device control APIs in AI browsers is extremely dangerous,” <a target="_blank" rel="nofollow noopener" href="https://www.linkedin.com/in/vivekramachandran/">Vivek Ramachandran</a>, Founder of <a target="_blank" rel="nofollow noopener" href="https://sqrx.com?utm_campaign=28817066-2025%20Nov%20%7C%20PR%20%7C%20YOBB&utm_source=pressrelease&utm_medium=pressrelease">SquareX</a> emphasizes. “We’re essentially seeing browser vendors grant themselves, and potentially third parties, the kind of system-level access that would require explicit user consent and security review in any traditional browser. Users deserve to know when software has this level of control over their devices.”</p></blockquote><p>Without demand for accountability from users and the security community, other AI browsers will race to implement similar, or more invasive, capabilities to remain competitive. SquareX is calling on AI browser vendors to mandate disclosure for all APIs, undergo third-party security audits, and provide users with controls to disable embedded extensions. This isn’t just about one API in one browser. If the industry doesn’t establish boundaries now, we’re setting a precedent where AI browsers can bypass decades of security principles under the banner of innovation. </p><p><strong>Demo Video: </strong><a target="_blank" rel="nofollow noopener" href="https://youtu.be/qJl4XllT-9M">https://youtu.be/qJl4XllT-9M</a> </p><p>For more information, users can refer to the <a target="_blank" rel="nofollow noopener" href="https://labs.sqrx.com/comet-mcp-api-allows-ai-browsers-to-execute-local-commands-dec185fb524b">technical blog</a>.</p><p><strong>About SquareX</strong></p><p><a target="_blank" rel="nofollow noopener" href="https://sqrx.com?utm_campaign=28817066-2025%20Nov%20%7C%20PR%20%7C%20YOBB&utm_source=pressrelease&utm_medium=pressrelease">SquareX</a>‘s browser extension turns any browser on any device into an enterprise-grade secure browser, including AI Browsers. SquareX’s industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively defend against browser-native threats including rogue AI agents, Last Mile Reassembly Attacks, malicious extensions and identity attacks. Unlike dedicated enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, delivering security without compromising user experience. Users can find out more about SquareX’s research-led innovation at <a target="_blank" rel="nofollow noopener" href="https://sqrx.com?utm_campaign=28817066-2025%20Nov%20%7C%20PR%20%7C%20YOBB&utm_source=pressrelease&utm_medium=pressrelease">www.sqrx.com</a>.</p><h5>Contact</h5><p><span><strong>Head of PR</strong><br></span><span><strong>Junice Liew</strong><br></span><span><strong>SquareX</strong><br></span><span><strong><a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="bdd7c8d3d4ded8fdcecccfc593ded2d0">[email protected]</a></strong><br></span></p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/obscure-mcp-api-in-comet-browser-breaches-user-trust-enabling-full-device-control-via-ai-browsers/" data-a2a-title="Obscure MCP API in Comet Browser Breaches User Trust, Enabling Full Device Control via AI Browsers"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fobscure-mcp-api-in-comet-browser-breaches-user-trust-enabling-full-device-control-via-ai-browsers%2F&linkname=Obscure%20MCP%20API%20in%20Comet%20Browser%20Breaches%20User%20Trust%2C%20Enabling%20Full%20Device%20Control%20via%20AI%20Browsers" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fobscure-mcp-api-in-comet-browser-breaches-user-trust-enabling-full-device-control-via-ai-browsers%2F&linkname=Obscure%20MCP%20API%20in%20Comet%20Browser%20Breaches%20User%20Trust%2C%20Enabling%20Full%20Device%20Control%20via%20AI%20Browsers" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fobscure-mcp-api-in-comet-browser-breaches-user-trust-enabling-full-device-control-via-ai-browsers%2F&linkname=Obscure%20MCP%20API%20in%20Comet%20Browser%20Breaches%20User%20Trust%2C%20Enabling%20Full%20Device%20Control%20via%20AI%20Browsers" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fobscure-mcp-api-in-comet-browser-breaches-user-trust-enabling-full-device-control-via-ai-browsers%2F&linkname=Obscure%20MCP%20API%20in%20Comet%20Browser%20Breaches%20User%20Trust%2C%20Enabling%20Full%20Device%20Control%20via%20AI%20Browsers" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fobscure-mcp-api-in-comet-browser-breaches-user-trust-enabling-full-device-control-via-ai-browsers%2F&linkname=Obscure%20MCP%20API%20in%20Comet%20Browser%20Breaches%20User%20Trust%2C%20Enabling%20Full%20Device%20Control%20via%20AI%20Browsers" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>