- SquareX accused Perplexity’s Comet browser of exposing a hidden MCP API that could allow local command execution
- Perplexity rejected the claims as “completely false” and emphasized that the API requires developer mode, user consent, and manual download.
- SquareX responded by saying that Comet was quietly updated after its proof of concept and that third-party researchers replicated the attack.
Cybersecurity company SquareX recently accused Perplexity of maintaining a major vulnerability in its AI browser, Comet; the latter has now responded, saying the research report is “completely false” and part of a growing problem of “fake security research.”
SquareX had said that it found a hidden API in the Comet browser, capable of executing local commands. That API, called the MCP API, allows its built-in extensions to execute arbitrary local commands on users’ devices, capabilities that traditional browsers explicitly prohibit.
SquareX said it found the API in the Agentic extension, which can be activated from the perplexity.ai page, meaning that if someone logs into the Perplexity site, they will have access to all of its users’ devices.
The answer to perplexity
For SquareX researcher Kabilan Sakthivel, not adhering to the strict security controls the industry evolved to “turns back the clock on decades of browser security principles established by vendors like Chrome, Safari and Firefox.”
But Perplexity disagrees, noting in a written response sent to TechRadar Pro by spokesperson Jesse Dwyer that the report is “completely false.”
The company added that the vulnerability requires a human to do the work, not the Comet Assistant, and requires developer mode to be enabled.
“To replicate this, the human user must activate developer mode and manually download the malware into Comet,” it said.
Perplexity also said that Comet’s failure to explicitly obtain user consent for any local system access is “categorically false.”
“When installing local MCPs, we require user consent: users are the ones who configure it and call the MCP API. They specify exactly what command to run,” Dwyer wrote. “Any additional commands from the MCP (e.g. calling an AI tool) also require user confirmation.”
Additionally, Perplexity says that what SquareX describes as a “hidden API” is actually “simply how Comet can run MCP locally,” first obtaining user permission and consent.
“This is the second time SquareX has presented a false security investigation. The first one we also demonstrated was false,” he stressed.
Dwyer also claims that SquareX did not file a report as he claims. “Instead, they sent a link to a Google Doc, with no context and no access. We told them we couldn’t open the Google Docs, requested access to the Google Docs, and never heard a response or were granted access to the documents.”
SquareX also fights back
But SquareX is not backing down either.
The company also said it saw Perplexity doing a “silent update” to Comet, in which the same POC will now return “Local MCP is not enabled.”
It claims to have had three outside researchers replicate the attack and that Perplexity fixed it a few hours ago.
“This is great news from a security perspective and we are glad that our research can contribute to making AI Browser more secure,” SquareX concluded, adding that it did not receive a response from Plerplexity regarding its VDP filing.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
