A new warning from security firm SquareX has exposed a serious flaw in Perplexity’s Comet AI browser. Their research shows that a hidden system inside the browser could allow attackers to run commands directly on a user’s device. After reading all details, I can say this is one of the most worrying types of vulnerabilities. Browsers are supposed to be the safest layer between the internet and your system. When a browser breaks this trust, the entire device becomes exposed.
The problem comes from a hidden mechanism called the MCP API, specifically chrome.perplexity.mcp.addStdioServer. In simple terms, this API lets Comet’s internal extensions bypass sandboxing. Sandboxing is the core rule that protects you online. It prevents websites or extensions from running programs on your PC. Every major browser has followed this rule for decades.
Comet breaks this rule by allowing its built-in extensions to run commands on the system. This means a browser extension can install software, steal data, or monitor your device without any permission box or system warning. What makes it worse is that Perplexity never properly documented this API. Users had no idea it existed, and the documentation that does exist does not tell users that the browser’s own extensions keep persistent access to this powerful feature.
SquareX found two hidden extensions inside Comet. One is for analytics. The other powers Comet’s AI agent behavior. The second one contains the MCP API. They also found that the Perplexity website can activate this API through the extension. This makes it a silent channel between the browser and the system. If anyone compromises that channel, your device becomes an easy target.
Their demonstration used a technique called extension stomping, where they disguised a malicious extension to trick Comet’s agent extension. It then triggered the hidden API. As a result, they were able to launch WannaCry, one of the most destructive ransomware programs ever made. The attack did not require deep hacking skills. XSS bugs, network attacks, or even a compromise of Perplexity’s servers could lead to the same outcome.
From a security point of view, this is a textbook example of what happens when a browser introduces system-level powers without strict rules. If an attacker compromises Perplexity, the risk becomes a large-scale disaster. Every Comet user becomes vulnerable at once.
SquareX contacted Perplexity on November 4, 2025. They did not receive a reply, but silently patched the issue. Their proof-of-concept attack now shows the message “Local MCP is not enabled.” This suggests the fix is very new. Even though the vulnerability is now closed, the lack of communication raises questions about transparency.
My view is simple. AI browsers cannot follow the same mindset as AI chat tools. A browser is not an assistant. It is a gateway to the internet. It must be strict, predictable, and transparent. Any powerful API must be documented. Any embedded extension with system access must have an off switch. And any AI-driven feature must respect the security boundaries that the browser industry has spent decades building.
