Hidden Comet Browser API Allowed Dangerous Local Command Execution

A newly discovered flaw in Perplexity’s Comet browser lets hidden extensions execute local commands without users’ knowledge or consent.

Security researchers at SquareX found that Comet breaks long-standing browser security models by exposing system-level capabilities that traditional browsers intentionally prohibit.

The researchers said that “…Comet has implemented an MCP API that allows its embedded extensions to execute arbitrary local commands on host devices without explicit user permission.”

Hidden Extensions Gave Comet System-Level Access

SquareX researchers found that Comet installed two hidden embedded extensions — an analytics extension and an agentic automation extension — without displaying them in the browser’s extensions dashboard. 

Users cannot disable, view, or manage these extensions, even though they are granted special privileges.

The vulnerability centers around a private API call chrome.perplexity.mcp.addStdioServer that allows these extensions to run arbitrary commands on the host machine. 

Because the MCP API is undocumented and not mentioned anywhere in Comet’s Terms & Conditions, users had no way to know the browser was capable of device-level execution.

In practice, this means any compromise of the browser — via XSS, supply chain attack, or man-in-the-middle interception — could instantly grant attackers the ability to run ransomware, exfiltrate files, or launch local applications. 

SquareX successfully demonstrated this risk by executing WannaCry on a test endpoint through Comet.

Inside the MCP API Exploit Chain

SquareX demonstrated a full proof-of-concept attack showing how adversaries could weaponize the MCP API. 

First, attackers perform extension stomping by extracting Comet’s legitimate extension manifest key and using it to create a spoofed extension with the same ID. 

Once this malicious extension is sideloaded, Comet performs a silent replacement, treating it as its own embedded extension and hiding it from the extensions menu. 

The spoofed extension then conducts script injection, adding malicious code into perplexity[.]ai pages. 

Finally, the injected script triggers local command execution by instructing Comet’s agentic extension to invoke the MCP API, enabling ransomware to run directly on the user’s device.

By bypassing the browser sandbox entirely, the flaw effectively removes the core isolation layer that modern browsers rely on. 

Traditional browsers restrict extension access to Native Messaging APIs requiring explicit user approval and registry-level configuration — steps the MCP API circumvents.

SquareX notes there is no evidence Perplexity misused the API, but the undocumented design and hidden extensions create a third-party risk for organizations.

Protecting Your Environment From AI Browser Flaws

The discovery of Comet’s undocumented MCP API shows how quickly AI-driven browsers can introduce unexpected system-level risks. 

Security teams should treat any AI browser as a high-risk application and apply controls that limit its reach, visibility, and ability to execute local actions.

• Block or restrict use of the Comet browser until Perplexity provides a full advisory and documented fixes.
• Enforce strict application control and MDM policies to prevent sideloaded or unapproved browser installations and extensions.
• Audit endpoints and EDR logs for unauthorized extensions, suspicious child processes, or anomalous local command activity.
• Harden network monitoring to flag unusual connections to perplexity.ai subdomains or unexpected outbound traffic from browser processes.
• Use zero-trust segmentation or browser isolation to limit what AI-powered browsers can access inside corporate environments.
• Review all third-party AI tools for hidden agentic capabilities, undocumented system-level APIs, or deviations from standard browser security models.
• Implement outbound allow-listing and OS-level restrictions to prevent browsers from launching system commands or interacting directly with local resources.

Building cyber resilience requires assuming that even trusted tools can introduce hidden risks and preparing defenses that limit the blast radius of unexpected vulnerabilities.  

The Hidden Risks of AI-Powered Browsers

This incident highlights a broader challenge: AI browsers and agentic web tools are evolving faster than traditional security frameworks can monitor. 

In the race to ship features, vendors may introduce capabilities — like local command execution — that fundamentally undermine long-standing sandboxing and permission models.

AI-enhanced browsers cannot be assumed to inherit the security posture of traditional browsers. 

These risks make it clear that organizations must adopt a zero-trust approach that treats every browser, process, and connection as untrusted until proven otherwise.