Overview
- SquareX’s November 19 research identified a hidden MCP API in Comet (chrome.perplexity.mcp.addStdioServer) that allowed embedded extensions to run arbitrary commands on a user’s device.
- The capability resided in the Agentic embedded extension and could be triggered from perplexity.ai, with both Agentic and Analytics extensions hidden from the extensions panel and not user‑controllable.
- Researchers demonstrated an attack using extension stomping to spoof the Analytics extension and then execute WannaCry via the Agentic extension’s MCP access, warning that XSS or MitM could yield similar results.
- SquareX reported disclosing the issue to Perplexity on November 4 and seeing no public response, and Help Net Security reports the company silently disabled the MCP API after the research was published.
- There is no evidence the feature was abused in the wild, and security experts are urging full API disclosure, third‑party audits, and user options to disable embedded extensions due to expanded enterprise risk.