Comet Browser MCP API Enables Full Device Control Risk

The hidden MCP API discovered in the Comet AI Browser exposes a critical pathway for full device takeover through arbitrary local command execution, posing a severe third-party risk to enterprises and individual users alike. The issue centers on the undocumented chrome.perplexity.mcp.addStdioServer API, which enables extensions to launch local applications without user consent—directly conflicting with long-standing browser security controls. This capability creates an exploitable attack surface that aligns with MITRE ATT&CK techniques T1203 (Exploitation for Client Execution) and T1059 (Command and Scripting Interpreter), allowing threat actors to weaponize browser-based vectors for authenticated or unauthenticated device compromise. SEO-aligned keywords such as "browser security vulnerability", "remote command execution", and "AI browser threat" are highly relevant here. According to the research :contentReference[oaicite:0]{index=0}, Comet's embedded Agentic extension retains persistent access to this local-execution API, enabling any compromised or spoofed extension to gain elevated privileges. Researchers demonstrated how extension stomping allowed a malicious extension to masquerade as Comet’s internal analytics module and execute a payload via the MCP pipeline. Because the embedded extensions are hidden from the user interface, they cannot be disabled, monitored, or sandboxed through standard browser controls. This risk expands beyond Comet itself: any XSS, supply-chain compromise, or man-in-the-middle attack affecting perplexity.ai could trigger the MCP commands. The business impact of this flaw is significant. Organizations relying on AI browsers for research, automation, or productivity inadvertently expose endpoints to full local compromise—bypassing native OS controls, EDR monitoring, and enterprise browser hardening policies. This raises compliance concerns under GDPR, HIPAA, and PCI-DSS, especially when sensitive workloads or regulated data are processed through browser-based AI platforms. No public evidence suggests this flaw is actively exploited, but the mechanism is trivial to weaponize. Security teams should immediately evaluate Comet usage within corporate environments, restrict browser-native automation features, and block undocumented APIs at the endpoint level when possible. Until vendors provide clearer documentation and user-controlled extension permissions, organizations should segment AI browser usage from sensitive workflows and enforce strict browser isolation policies. SquareX recommends mandatory third-party audits for all AI browsers and full disclosure of embedded extension capabilities.