Critical Vulnerability in Perplexity's AI Browser Comet Allows Unauthorized Command Execution

Researchers from SquareX, a firm specializing in browser security, have uncovered a critical vulnerability in Perplexity's AI browser, Comet. The vulnerability stems from a hidden MCP API that enables the execution of commands on a user's device without their consent. This flaw could potentially allow attackers to perform unauthorized actions, including remote code execution and data exfiltration. Perplexity's developers have released a patch to address the issue but have dismissed the study as "false," raising questions about the nature of the vulnerability and the effectiveness of the fix. This incident highlights the importance of thorough security assessments and responsible disclosure practices in the development of AI-driven applications. The presence of hidden APIs poses significant risks, as they can be exploited to bypass user permissions and execute malicious commands. Cybersecurity professionals should be vigilant about such vulnerabilities, especially in AI-powered tools that often have extensive system access. Regular security audits and transparent communication about vulnerabilities are crucial to maintaining user trust and system integrity.