The Hidden Backdoor in AI’s Gateway to the Web: Perplexity’s Comet Under Fire

In the rapidly evolving landscape of artificial intelligence, Perplexity’s Comet browser promised a revolutionary way to navigate the internet, blending AI assistance with seamless browsing. Launched amid fanfare, Comet positions itself as an “agentic” browser, capable of performing tasks like summarizing web pages or executing commands based on user queries. However, recent revelations have cast a dark shadow over this innovation, exposing critical security flaws that could allow hackers to hijack entire devices.

Security researchers at SquareX, a cybersecurity firm, uncovered a hidden API within Comet known as the Multi-Command Processor (MCP). This undocumented interface, embedded in the browser’s extensions, grants unprecedented access to system-level commands. According to SquareX’s analysis, malicious actors could exploit this API to execute arbitrary code, potentially leading to data theft, ransomware deployment, or full device compromise. The vulnerability stems from Comet’s design, which integrates AI agents that interact directly with web content, blurring the lines between trusted and untrusted inputs.

The issue came to light when SquareX researchers dissected Comet’s architecture, discovering that the MCP API allows extensions to run commands without adequate user consent or oversight. For instance, a seemingly innocuous link could trigger the API to install unauthorized software or access sensitive files. This isn’t just theoretical; SquareX demonstrated proof-of-concept attacks where they manipulated the browser to perform actions like opening new tabs or altering system settings, all without alerting the user.

Unveiling the MCP API: A Gateway to Exploitation

Perplexity, the company behind Comet, has positioned the browser as a premium tool, charging up to $200 per month for full access. Yet, this premium price tag hasn’t shielded users from risks. Reports from Help Net Security detail how the MCP API could be leveraged for system-level attacks, exposing users to everything from phishing to complete device takeovers. The publication notes that the API’s obscurity—hidden within two browser extensions—makes it particularly insidious, as it bypasses standard security checks.

Adding to the concern, posts on X (formerly Twitter) from cybersecurity experts echo these findings, with users like those from Brave highlighting similar vulnerabilities in AI browsers. Brave’s own audits, published earlier in 2025, revealed prompt injection flaws in Comet, where malicious websites could inject hidden instructions into the AI’s processing, tricking it into harmful actions. For example, a rigged webpage could prompt Comet’s AI to close tabs, open phishing sites, or even siphon personal data.

The broader context reveals a pattern of issues. In August 2025, Tom’s Hardware reported on audits by Brave and Guardio, which found Comet susceptible to phishing scams and code injection. These flaws allowed attackers to guide users to fake sites or execute unauthorized purchases, exploiting the browser’s AI to mimic legitimate behavior.

From Prompt Injections to Systemic Risks: A Timeline of Discoveries

The timeline of Comet’s vulnerabilities traces back to July 2025, when independent researcher Aryaman Behera demonstrated an indirect prompt injection attack on X, showing how Comet could be manipulated to overwhelm users with random tabs. This early warning was amplified by Brave’s August disclosure, which detailed how invisible prompts on websites could hijack the AI assistant, leading to account compromises.

By October, TIME magazine reported on hijacking scenarios where malicious links siphoned personal information to attackers. LayerX’s report, as covered in Security Boulevard, further exposed how a single malicious URL could exploit prompt injections, underscoring the risks in AI’s boundary with untrusted web content.

Perplexity’s response has been mixed. Following Brave’s initial findings, the company patched some issues, but the MCP API vulnerability, revealed in November 2025, suggests deeper architectural problems. In statements to outlets like TechRadar, Perplexity acknowledged the concerns but emphasized ongoing security enhancements. Critics argue this reactive approach falls short for a tool handling sensitive tasks.

Industry Implications: Rethinking AI Browser Security

The Comet saga highlights a fundamental challenge in agentic AI: balancing innovation with security. As Brave’s blog explains, traditional web security models don’t apply to AI agents that act autonomously. This has sparked calls for new architectures, including better isolation of AI components from system resources.

Experts warn that Comet’s flaws could erode trust in AI browsers broadly. Windows Central noted the irony of a $200/month browser being tricked into fraudulent activities, while CyberPress stressed the risks of blending user commands with web content. On X, sentiment from users like Tuta Privacy and Moby Media reflects growing wariness, with warnings about “CometJacking” attacks that hijack sessions.

For industry insiders, this underscores the need for rigorous third-party audits. SquareX’s findings, detailed in their November 2025 report, reveal how hidden APIs like MCP enable extensions to execute commands akin to those in developer tools, but without safeguards. This could inspire regulatory scrutiny, especially as AI browsers expand to platforms like Android, as announced by The Verge.

Beyond Perplexity: The Future of Secure AI Navigation

The vulnerabilities in Comet aren’t isolated; they mirror issues in competitors like Microsoft’s Edge Copilot or Brave’s own AI features. Vertex Cyber Security warns of systemic risks like data leaks in the AI browser boom. Researchers advocate for “sandboxing” AI agents to prevent cross-boundary exploits.

Perplexity’s case serves as a cautionary tale. While the company has rolled out updates—patching prompt injections and restricting API access—the MCP flaw’s discovery by SquareX, as reported in Browser Native, questions the foundational security of agentic browsing.

Ultimately, as AI integrates deeper into daily tools, stakeholders must prioritize robust defenses. For now, users are advised to approach Comet with caution, opting for established browsers until these risks are fully mitigated. The episode not only challenges Perplexity but prompts the tech industry to redefine security in an AI-driven web.