The debate over the alleged Comet browser vulnerability has escalated quickly, turning a routine security disclosure into a public quarrel between SquareX and Perplexity. What began as a technical warning has now morphed into a sharp disagreement about how real, urgent, or even valid the threat actually is.
SquareX claims it found a flaw in Perplexity’s Comet AI browser that could let attackers take control of a user’s device. The company calls it a serious gap, one that sits inside a little-understood piece of Comet’s architecture known as the Model Context Protocol, or MCP. Perplexity responded by downplaying the findings, blocking the attack method, and then calling the entire research effort “fake security research.”
The tension started with SquareX’s analysis of Comet’s hidden extensions. The researchers highlighted two components that users cannot turn off: one called Analytics and another called Agentic. Both extensions rely on MCP, which sits inside Comet as the mechanism that connects the browser’s AI capabilities to outside data sources, tools, and automation features.
SquareX said it noticed that both extensions can only talk to Perplexity’s own subdomains and that the MCP API restricts access to those same areas. Under normal conditions, this setup seems safe enough. But the company argued that if an attacker were to compromise the Agentic extension or gain unexpected access to the perplexity.ai domain, things could change fast.
SquareX believes that with the right access point, an attacker can abuse the MCP API to run commands directly on the host device. They warned that, once inside, the threat actor could push ransomware, monitor activity, or simply siphon off data without any consent from the user. They described it as a clear example of how a useful automation feature can turn dangerous if someone breaks the chain of trust.
To be fair, SquareX did acknowledge that this kind of attack does not happen casually. An attacker would need to hijack an extension through a network attack like XSS or MitM, or breach Perplexity’s own systems. In other words, it requires skill, opportunity, and access. But SquareX still argued the design of the MCP API makes the Comet browser vulnerability worth taking seriously.
The demonstration that SquareX posted used a method called “extension stomping.” This technique involves creating a fake extension that looks like a real one and sideloading it into the browser. In their test, the fake extension impersonated Comet’s Analytics extension and then deployed ransomware immediately after the browser reopened.
SquareX said it shared all of this with Perplexity on November 4. When the disclosure deadline arrived, they had not received a direct response, so they published their research.
Perplexity pushed back hard. Speaking to SecurityWeek, the company confirmed it rolled out some protections after reading the report, but insisted the entire scenario was unrealistic. A spokesperson said SquareX’s demonstration only works if someone manually loads malware and impersonates a legitimate extension.
Perplexity said the only person who could realistically load such a malicious extension is a Perplexity employee with production-level access, which they consider “essentially impossible.”
Perplexity stressed that SquareX’s video proves how much human involvement is needed to make the attack work. From their point of view, the demonstration isn’t evidence of a weakness in Comet. Instead, it’s a reminder that any technology can break if someone convinces a user, or an employee, to install malware by hand.
The company also rejected the claim that Comet executes local actions without permission. Perplexity said every user must explicitly approve local MCP installations. They added that once installed, any action triggered through the MCP still requires confirmation. They described SquareX’s interpretation as a misunderstanding of how the system works.
Perplexity added that it had not seen any real-world attacks using this method. The company said it actively collaborates with security researchers and fixes potential issues when they arise. However, in this case, Perplexity said it could not access SquareX’s bug report and SquareX did not respond to follow-up emails requesting the information.
SquareX pushed back again, insisting that the core issue is not the extension-stomping demo itself. They said the point of their research is the impact of the MCP API’s design and the level of trust it carries. From their viewpoint, the permissions built into the system give attackers too much room to maneuver if anything in the chain is compromised.
They argued that a supply chain attack, an XSS breach, or a MitM interception would require less user interaction than the video demonstration. Their researchers also said they were not asked for permission at any point in their tests. The moment they reopened the browser, the ransomware executed.
Even with the disagreement, SquareX acknowledged that Perplexity’s follow-up patch is a good step. They said they were happy their findings contributed to strengthening the AI browser’s security, even though the two companies clearly do not agree on the severity of the Comet browser vulnerability.
The broader tension here reflects something deeper. AI-powered browsers like Comet introduce new automation layers that sit between the user and the system. These layers make browsing faster and smarter, but they also expand the attack surface. SquareX’s research highlights how even early-stage frameworks like MCP can create new risks if attackers exploit the wrong extension or the wrong access point.
Perplexity’s response highlights the other side of the equation. Not every attack chain is realistic. Not every hypothetical scenario becomes a real-world threat. And not every tool should be judged by its worst theoretical outcome.
For users, the quarrel may feel technical, but the stakes are clear. AI browsers now operate closer to the system than many people realize. The balance between innovation and safety depends heavily on how carefully these tools are built, tested, and challenged.
Even if this dispute fades, the conversation it sparked will continue. As more browsers integrate agentic features and system-level automation, researchers and vendors will keep debating what “secure” truly means. And somewhere between those arguments, users will hope the next layer of AI-driven convenience does not become the next unexpected entry point for attackers.
For now, both sides walk away with their own version of the story. SquareX stands by its discovery. Perplexity stands by its defense. And the rest of the industry is reminded that any technology touching the system layer, even one as new as Comet, must be examined with extra care, especially when a potential Comet browser vulnerability is involved.
