Perplexity Refutes SquareX’s Claims of Comet Browser Vulnerability

URGENT UPDATE: Perplexity has swiftly denied allegations from cybersecurity firm SquareX regarding a critical vulnerability in its Comet browser. SquareX claims that a hidden MCP API could allow local command execution on users’ devices, raising serious security concerns.

SquareX’s accusations suggest that the Comet browser can execute arbitrary local commands via its Agentic extension, potentially exposing users’ devices to attacks if the Perplexity site is compromised. In a statement, SquareX highlighted that this hidden API could endanger user security and privacy.

However, Perplexity responded emphatically, labeling the claims as “entirely false” and describing them as part of a troubling trend of “fake security research.” The company asserted that the alleged API requires both user consent and developer mode activation, meaning that any exploitation would demand significant user involvement.

Key Details: In a written statement provided to TechRadar, spokesperson Jesse Dwyer emphasized that the vulnerability claims are misleading. “To replicate this, the human user must turn on developer mode and manually sideload malware into Comet,” Dwyer stated. He further clarified that user consent is required for any local system access, contradicting SquareX’s assertions.

In defense of their findings, SquareX’s researcher Kabilan Sakthivel criticized Perplexity, stating that the company’s practices threaten decades of established browser security principles. Sakthivel raised alarms about the implications of such vulnerabilities, urging for adherence to strict security controls.

Despite the pushback, SquareX maintains that its research is valid. They claim to have replicated the alleged attack with the help of three external researchers, and noted that Perplexity implemented a “silent update” to Comet, which now indicates that “Local MCP is not enabled.” SquareX expressed satisfaction that their findings contributed to making the Comet browser safer.

Perplexity, however, disputes this narrative, stating in their response that SquareX did not submit a legitimate report but merely sent a link to a Google Doc without access or context. Dwyer criticized SquareX for not engaging properly in the vulnerability disclosure process and claimed that the security research firm has previously presented flawed research.

This developing story highlights a crucial moment in the tech industry, as cybersecurity remains a pressing concern for users worldwide. As both companies stand firm in their positions, the implications of this conflict resonate with users who rely on browser security for their personal data protection.

What’s Next: Industry experts and users will be closely monitoring further communications from both Perplexity and SquareX. Observers anticipate additional details on the security of the Comet browser and any future updates that may arise as this story develops.

For users concerned about online security, this situation serves as a reminder of the importance of vigilance and awareness in digital safety practices. Stay tuned for more updates as we follow this unfolding story.