If you rely on a browser powered by AI, a new threat has emerged. SquareX—providers of browser attack detection and response solutions—recently uncovered an undocumented API inside the Comet AI browser developed by Perplexity.
The API can allow embedded extensions to execute arbitrary commands on user devices. This goes against the norm of mainstream browsers like Chrome, Firefox, and Edge that deliberately block these extensions.
“This specific attack requires clearing a significant bar—such as extension stomping— which means convincing a user to switch to developer mode and install a malicious extension,” commented Lionel Litty, the Chief Security Architect at Menlo Security. “While this is not cause for panic, it is a reminder that AI browsers are new, and their structural design is still evolving.”
In a response article posted by TechRadar Pro, the Perplexity Head of Communication, Jesse Dwyer, said that the SquareX report is entirely false. The article presents a statement from Perplexity that the vulnerability requires a human to do the work, not the Comet Assistant, and it requires the developer mode to be turned on. To replicate this, the comment continues, the human user must turn on developer mode and manually sideload malware into Comet.
Critical to Look at Browser Attributes
Given the potential consequences if the SquareX report is accurate, enterprises should at least take a good look at any browser powered by AI. In the case of Comet, it integrates with a personal assistant to streamline browsing tasks.
Built on the Chromium engine, the Comet API is compatible with Chrome extensions and allows users to import settings, bookmarks, and passwords. The assistant can answer questions about open tabs, summarize content, perform actions like shopping, manage email, and use browsing history to facilitate tasks.
“Implementing functionality in built-in extensions is a common practice for Chromium-based browsers and not inherently problematic,” said Litty. “However, replacing such trusted, core components of the Comet browser should not be possible from the extension management UI, even in developer mode.”
How Cybercriminals Exploit Local-Execution APIs
The Comet API, identified as <chrome.perplexity.mcp.addStdioServer>, uses the Model Context Protocol (MCP) to provide analytic and agentic extensions with persistent local access. This capability is ordinarily reserved for native applications.
According to the SquareX disclosure, cybercriminals can remotely trigger Comet extensions from perplexity.ai to open covert execution channels. This creates the possibility of multiple harmful activities, without needing to gain user approval:
- Local data access
- App launches
- Arbitrary system-level command execution
Access to the Comet browser also opens potential pathways for exploitation through compromised extensions, cross-site scripting (XSS) attacks, and phishing pages that trigger the API.
Creating an Amplified Blast Radius
Furthermore, within agentic environments, the agent's ability to act on a user's behalf with a high degree of autonomy and system access amplifies the blast radius of attack vectors. Combined with AI-specific vulnerabilities, this can transform isolated compromises into potential systemic, high-impact security incidents.
Compounding the concern is the lack of transparent documentation. The protocol references the feature conceptually. However, it omits that embedded extensions maintain ongoing device-level privileges.
“This is a beneficial reminder that browsers were generally built as a consumer software package that has been applied to business use,” said Ronald Lewis, Senior Innovation Manager at Black Duck. “The Comet AI browser incorporates many of the risks associated with traditional browsers, but it also incorporates a significant number of AI-borne risks. OWASP lists the Top 10 Risks for LLM applications, and although these are aimed at LLM applications, these should be considered when implementing any AI-augmented capability.”
What Should Security Teams Allow AI Browsers to Do?
These findings will further heighten the enterprise skepticism around AI browsers. Yes, the category promises productivity gains and agentic automation. However, organizations will need to remain wary of opaque APIs, elevated permissions, and non-traditional execution models that resemble unsanctioned applications—more so than they do with secure browsers.
The Comet disclosure also illustrates the emerging risks enterprises must evaluate before adopting AI-native browsing environments. The boundary between browsers and native apps plays a critical role in security because it separates controlled and permissioned native apps from the more open and vulnerable browsers. This can impact how apps handle sensitive data and interact with devices.
While native apps can leverage device-level security, browsers create a larger attack surface for threats like XSS and data theft. Given this situation, security teams will need to rethink permissions, transparency, and governance.
A Security Issue That Goes Beyond a Single Browser
The Comet case reveals much about the emerging security challenges of AI browsers. The issue goes beyond a single browser implementation.
“As organizations rapidly adopt agentic AI, MCP, and autonomous browsing capabilities, we’re starting to see a pattern,” said Randolph Barr, CISO at Cequence Security. AI-native browsers are introducing system-level behaviors that traditional browsers have intentionally restricted for decades. That shift breaks long-standing assumptions about how secure a browser environment is supposed to be.”
This incident also underscores the broader need for standardized security models for AI-driven browsing environments. Enterprise adoption of AI browsers will likely slow until developers clearly define, mitigate, and disclose the risks. And that will hamper the productivity of end-users who are eager to leverage the power of AI.
