Hidden API in Comet AI browser exposes users to device takeovers

SquareX researchers have identified a hidden API in the Comet AI browser that could allow browser extensions to execute local commands and take full control of users’ devices. This discovery highlights new security concerns for users of AI-powered browsers.

API exposure

The research team found that the Comet browser implements a mechanism called the MCP API, which is not found in traditional browsers. Through this API, embedded extensions can access device resources and execute arbitrary commands without the need for explicit user consent. Traditional browsers typically restrict such actions and require clear user approval and registry entries for any local system access.

Comet’s documentation references the intended purpose of the feature, but does not reveal that these embedded extensions can access the MCP API persistently or that they can launch applications without user oversight. The lack of visible controls puts users at risk of their device being affected without their knowledge.

Security bypass

SquareX researchers note that the identified vulnerability undermines established browser security protocols. In traditional browsers like Chrome, Safari and Firefox, such elevated access is carefully regulated to protect users’ devices. The Comet approach bypasses these restrictions, exposing users to risks typically avoided within browser environments.

“For decades, browser vendors have adhered to strict security controls that prevent browsers, and especially extensions, from directly controlling the underlying device,” said Kabilan Sakthivel, Researcher, SquareX.

This hidden API currently operates through Comet’s embedded Agentic extension, and can be triggered by actions on the perplexity.ai web page. While SquareX states there is no evidence of current abuse by Perplexity, the browser’s architecture could enable attackers to gain device-level access if security vulnerabilities are exploited.

Demonstration attack

SquareX’s research includes a demonstration in which a malicious extension masquerades as Comet’s embedded Analytics extension. Once installed, the malicious extension injects a script into the perplexity.ai page, triggering the Agentic extension to execute system-level malware, such as WannaCry, on the target’s device. This exploit is enabled by the persistent access provided by the MCP API.

The demonstration attack used extension ID spoofing, but researchers note that cross-site scripting and network-based attacks targeting perplexity.ai or its embedded extensions could yield the same result. Because these extensions are hidden from Comet’s extension dashboard, users are unable to disable them or monitor their activity, limiting user control and visibility.

User awareness

The absence of documentation and transparency on the MCP API means users and enterprise security teams are unable to assess or reduce their risk exposure. According to SquareX, this arrangement increases third-party risk, as users must rely entirely on Perplexity’s security practices.

The researchers have disclosed their findings to Perplexity, but as of now have not reported a response. They have indicated that no other AI browsers examined thus far implement a similar MCP API.

Industry concerns

SquareX warns that as AI browsers compete to add new features, security and documentation. may be overlooked. The ease of implementing system-level access without oversight could encourage other browser developers to introduce similar capabilities.

“The early implementation of device control APIs in AI browsers is extremely dangerous,” Vivek Ramachandran, Founder, SquareX.

SquareX has called on AI browser developers to make all APIs public, submit their platforms to third-party security audits, and enable users to disable embedded extensions. Without clear standards, they warn that AI browsers may continue to adopt unchecked levels of device access.