SquareX has identified a critical vulnerability in Perplexity’s Comet AI browser related to its Model Context Protocol (MCP) API and hidden extensions. The company warns that if exploited, cyber attackers could gain control of devices and execute malicious actions like ransomware and data exfiltration, although Perplexity disputes these claims. #Perplexity #CometBrowser #MCPAPI #ExtensionStomping
Keypoints
- SquareX discovered a serious vulnerability involving Perplexity’s Comet AI browser extensions.
- The MCP API and hidden extensions can potentially be exploited to execute malicious commands without user approval.
- Attack vectors such as extension hijacking, XSS, or MitM may enable attackers to control devices or deploy ransomware.
- Perplexity claims its security measures and user consent protocols mitigate the reported risks.
- SquareX demonstrated the attack using extension stomping, highlighting the security concerns around permissions.