Perplexity Responds to SquareX’s Vulnerability Claims in Comet Browser

URGENT UPDATE: Perplexity has just issued a strong rebuttal to claims made by cybersecurity firm SquareX regarding a potential vulnerability in its Comet browser. SquareX alleges that a hidden MCP API enables local command execution, potentially compromising user security. Perplexity categorically denies these allegations, labeling them as “entirely false” and part of what it describes as a growing issue of “fake security research.”

SquareX’s accusations suggest that the MCP API, which allows embedded extensions to execute local commands, poses a serious risk. The firm asserts that this API could be triggered by accessing perplexity.ai, enabling unauthorized access to users’ devices. This claim raises alarms about the safety of Comet, particularly as holiday shopping approaches.

In response, Perplexity spokesperson Jesse Dwyer emphasized that the alleged vulnerability requires user consent and activation of developer mode, making it far less concerning than SquareX suggests. “To replicate this, the human user must turn on developer mode and manually sideload malware into Comet,” Dwyer stated in a communication with TechRadar.

The allegations have immediate implications for users, especially as Black Friday approaches. As concerns mount about online security, users are advised to stay vigilant and informed about potential risks.

Furthermore, Dwyer refuted claims that Comet does not require user consent for local system access. “When installing local MCPs, we require user consent—users are the ones setting it up and calling the MCP API,” he added. Perplexity insists that the so-called “hidden API” is simply a necessary function for running MCPs locally with user permission.

SquareX, however, is not backing down. The firm claims that Perplexity made a “silent update” to Comet post-disclosure, which now reportedly states that “Local MCP is not enabled.” They assert that three external researchers replicated the attack, and that the issue was fixed within hours of their proof-of-concept presentation. SquareX interprets this as a victory for cybersecurity, stating, “This is excellent news from a security perspective and we are glad that our research could contribute to making the AI Browser safer.”

Despite the back-and-forth, the situation highlights a critical moment in browser security. Kabilan Sakthivel, a researcher at SquareX, expressed concerns that failing to adhere to strict security controls could reverse hard-won advancements in online safety established by major vendors like Chrome and Firefox.

As these developments unfold, users of the Comet browser are urged to stay alert. The ongoing discourse between Perplexity and SquareX emphasizes the importance of transparency and user awareness in cybersecurity.

For those concerned about their online safety this holiday season, it’s vital to keep abreast of updates from trusted sources. Follow TechRadar for the latest on this developing story and other crucial technology news.