SquareX has disclosed a previously undocumented API within the Comet AI browser that allows its embedded extensions to execute arbitrary commands and launch applications — capabilities mainstream browsers intentionally block.
According to a disclosure shared with CSO ahead of its publication on Wednesday, Comet’s Analytics Extension contains a custom MCP API that bypasses the decade-old safeguards in mainstream browsers.
The API can be triggered directly from perplexity.ai, creating a covert execution channel that attackers could exploit through familiar techniques such as compromised extensions, XSS, or phishing. The feature introduces a type of device access typically reserved for native apps, not browsers, SquareX added.
Experts say the discovery lands at a sensitive moment for AI browsers. John Grady, principal analyst at Omdia, said most organizations have already classified them conservatively. “Most organizations are treating them as unmanaged apps at this point in time,” he said. “It’s incredibly early, so very few, if any, organizations are adopting this as the default enterprise browser. And this finding will do nothing to change that.”
Embedded extensions have undocumented device access
SqaureX says it uncovered the MCP API while reviewing Comet’s embedded Analytics Extension, where the non-standard “chrome.perplexity” namespace suggested an addition to Chromium. Audrey Adeline from SquareX said the team identified the API directly in the extension code. “We were able to retrieve the MCP API in the Comet Analytics Extension source code.”
She added that the exploitability of the feature is surprisingly high. “The technical bar for this exploit is extremely low: extension stomping, cross-site scripting, and basic network MitM attacks are more than enough.” In a demo shared along with the disclosure, a malicious extension spoofed as Comet’s Analytics Extension injected a script into the perplexity.ai page and ultimately used the Agentic Extension to invoke the MCP API, resulting in an on-device execution of WannaCry.
SquareX also points out that Comet hides both the Analytics and Agentic extensions from the browser’s extension dashboard, preventing users from disabling them even if a compromise is suspected. Due to a lack of documentation, Adeline warned that it is “possible that other embedded or 3rd party extensions also have access to the API, in the future if not today”.
Perplexity did not immediately respond to CSO’s request for comments.
Broader Warning for AI browsers
The disclosure is likely to deepen enterprise hesitation around AI browser adoption. Grady noted that organizations will continue treating them as unsanctioned applications until they can fully assess the tradeoffs. “Security teams should ensure corporate policy is clear, and they have the tools to enforce that policy.”
SquareX’s recommendation is rather blunt. AI browsers must disclose all system-level APIs, undergo independent security audits, and give users the ability to disable embedded extensions. Without that, they warn, the industry could normalize a class of browsers that quietly hold endpoint-level authority.
“Unfortunately, the MCP API is accessible by Comet’s embedded extensions by default, and there is no way to uninstall these extensions, so apart from preventing users from using Comet, the true fix can only come from Perplexity,” Adeline noted. “For extension stomping, device integrity measures can be put in place to prevent sideloading of extensions.” However, extension stomping is just one way the API can be exploited, she added.
No Responses