Key Findings

• Comet Browser has implemented a hidden MCP API (chrome.perplexity.mcp.addStdioServer) that allows its embedded extensions to execute arbitrary local commands on users' devices, a capability that traditional browsers explicitly prohibit.

• The MCP API is currently found in the Agentic extension and can be triggered by the perplexity.ai page, creating a covert channel for Comet to access local data and launch commands/apps without user consent.

• There is limited official documentation on the MCP API, with existing documentation only covering the intent of the feature, without disclosing the persistent access and control that Comet's embedded extensions have.

• The lack of transparency and user controls around the MCP API represents a massive breach of trust, as it reverses decades of security principles established by browser vendors like Chrome, Safari, and Firefox.

• The MCP API exploit creates catastrophic third-party risk, as a single vulnerability in Perplexity.ai or its embedded extensions could grant attackers unprecedented control over every Comet user's device.

• SquareX's research demonstrates how a malicious extension can be disguised as a legitimate one to abuse the MCP API and execute malware like WannaCry on victim devices.

• Comet has hidden the Agentic and Analytics extensions from the extension dashboard, preventing users from disabling them even if they are compromised, creating a "hidden IT" that security teams and users have no visibility over.

Background

For decades, browser vendors have adhered to strict security controls that prevent browsers, and especially extensions, from directly controlling the underlying device. Traditional browsers require native messaging APIs with explicit registry entries and user consent for any local system access. However, in their ambition to make the browser more powerful, Comet has bypassed all of these safeguards with a hidden API that most users don't even know exists.

Comet's Obscure MCP API

Comet has implemented a MCP API (chrome.perplexity.mcp.addStdioServer) that allows its embedded extensions to execute arbitrary local commands on users' devices, capabilities that traditional browsers explicitly prohibit. Concerningly, there is limited official documentation on the MCP API, with existing documentation only covering the intent of the feature, without disclosing that Comet's embedded extensions have persistent access to the API and the ability to launch local apps arbitrarily without user permission.

Catastrophic Third-Party Risk

While there is no evidence that Perplexity is currently misusing the MCP API, the question is not if but when Perplexity will be compromised. A single XSS vulnerability, a successful phishing attack against a Perplexity employee, or an insider threat would instantly grant attackers unprecedented control via the browser over every Comet user's device. This creates catastrophic third-party risk where users have resigned their device security to Perplexity's security posture, with no easy way to assess or mitigate the risk.

Attack Demonstration

In SquareX's attack demo, the research team used extension stomping to disguise a malicious extension as the embedded Analytics Extension by spoofing its extension ID. Once sideloaded, the malicious Analytics Extension injects a script into the perplexity.ai page, which in turn invokes the Agentic Extension to use the MCP API to execute WannaCry on the victim's device. Other techniques such as XSS and MitM network attacks can also be used to achieve the same result.

Lack of Transparency and User Control

More worryingly, as both the Agentic and Analytics extensions are critical to Comet's agentic functionality, Perplexity has hidden them from the Comet extension dashboard, preventing users from disabling them even if they are compromised. These embedded extensions become a "hidden IT" that security teams nor users have zero visibility over. Furthermore, due to the lack of documentation, there is no way to know whether or when Comet might expand access to other "trusted" sites.

Implications and Recommendations

Similar to the OS and search engine, owning the platform where the majority of modern work occurs has always been the grand ambition for many tech companies. With AI, there is now the opportunity to make browsers more powerful than ever before. Yet, in the race to win the next browser war, many AI Browser companies are shipping features so quickly that it has come at the cost of proper documentation and security measures.

The MCP API exploits serve as an early warning to the third-party risks that poor implementation of AI Browsers can expose users to. SquareX is calling on AI browser vendors to mandate disclosure for all APIs, undergo third-party security audits, and provide users with controls to disable embedded extensions. This isn't just about one API in one browser. If the industry doesn't establish boundaries now, we're setting a precedent where AI browsers can bypass decades of security principles under the banner of innovation.

Sources

• https://hackread.com/obscure-mcp-api-in-comet-browser-breaches-user-trust-enabling-full-device-control-via-ai-browsers/

• https://securityonline.info/obscure-mcp-api-in-comet-browser-breaches-user-trust-enabling-full-device-control-via-ai-browsers/