SquareX and Perplexity Quarrel Over Alleged Comet Browser Vulnerability
securityweek
Browser security firm SquareX claims to have found a potentially critical vulnerability in Perplexity’s Comet AI browser. Perplexity has taken steps to block the attack, but has strongly disputed the findings.
SquareX’s controversial research is centered around a limited-documentation Model Context Protocol (MCP) API and two hidden Analytics and Agentic extensions that are used by Comet and cannot be disabled.
MCP is typically used to connect AI applications to external data sources and tools. SquareX found that the Agentic extension is designed for executing all of Comet’s agentic automation capabilities, while the Analytics extension is designed for collecting and processing browser data and monitoring the actions of the Agentic extension.
SquareX discovered that both extensions can only communicate with ‘perplexity.ai’ subdomains and the access of the API is limited to these subdomains.
However, according to SquareX, if an attacker can gain access to the ‘perplexity.ai ...
Copyright of this story solely belongs to securityweek . To see the full text click HERE