Comet Browser MCP Flaw: Device Takeover via AI-Browser API (“CometJacking”)

Key Takeaways

• The issue stemmed from a hidden MCP API (chrome.perplexity.mcp.addStdioServer) embedded in Comet Browser extensions — letting them execute arbitrary local commands. (The Security Ledger with Paul F. Roberts)
• Comet shipped with non-removable, hidden Agentic and Analytics extensions — users had no way to disable or audit them. (Help Net Security)
• Researchers demonstrated how attackers could exploit this flaw via extension-stomping, XSS, or supply-chain compromise — even launching ransomware (e.g. WannaCry) in proof-of-concept. (eSecurity Planet)
• The flaw underlines a dangerous shift: AI-enabled browsers blur the line between web and OS, undermining decades-old browser sandboxing assumptions.
• This incident marks a new class of threat: agentic browser takeovers, where AI and browser orchestration layers grant system-level control if misconfigured or compromised.

Summary

Comet Browser’s MCP-based flaw shows how AI-enabled browsers can transform into full-blown attack vectors. By embedding a privileged API that bypassed traditional browser sandbox protections and granting it to hidden extensions with local command privileges, Comet opened the door for attackers to hijack entire devices — all through what appears as normal browser activity. This breach demonstrates the urgent need for rethinking browser security in the age of agentic AI, and for extending security controls beyond models to orchestration layers, extensions, and endpoints.

What Happened

Security researchers from SquareX disclosed the flaw on Nov 19, 2025: Comet’s hidden MCP API allowed its built-in Agentic extension to run arbitrary OS commands via chrome.perplexity.mcp.addStdioServer. (Hackread)

Because these extensions weren’t visible in the browser’s UI and came pre-installed, many users had no awareness or control. In a proof-of-concept exploit, attackers used extension-stomping to sideload a malicious extension, then triggered the API via a normal-looking webpage, gaining full device control — including launching ransomware. (eSecurity Planet)

While the vendor released a patch purportedly disabling the API, the incident remains a warning: AI-powered browser features — especially hidden, high-privilege extensions — introduce new, critical attack surfaces.

Why It Matters

• Device-Level Risk: What starts as a browser vulnerability becomes a full system compromise.
• Bypassed Isolation: The MCP API defeats long-standing browser sandboxing and permission models.
• Supply-Chain Exposure: Organizations may deploy AI browsers unaware of these hidden attack surfaces.
• User Blind-Spot: Hidden, non-removable extensions evade traditional security audits, leaving users defenseless.
• AI-Orchestration Hazards: The incident shows AI orchestration layers (agents, MCP, extensions) must be treated like any critical infrastructure component.

The PointGuard AI Perspective

This incident reinforces what we’ve long argued: AI deployments must be governed end-to-end — from models to orchestration layers, browsers, agents, and endpoints. Comet’s MCP flaw reveals that modern security cannot ignore the “agentic browser” layer.

PointGuard AI helps organizations defend against these threats with:

• Comprehensive asset discovery — surfacing AI browsers, hidden extensions, and agentic components across environments.
• Configuration assessment & hardening — identifying unsafe browser defaults, hidden privilege escalation channels, and unsafe extension behaviors.
• Runtime monitoring & behavioral detection — spotting unexpected system-level API calls or extension behavior before damage spreads.
• Governance & control frameworks — enforcing least privilege, documenting browser-agent dependencies, and applying zero-trust controls to AI browser workloads.

In short: AI tools + browsers + flexibility = new attack surfaces. Without rigorous governance and visibility, organizations risk exposure to high-impact, low-visibility compromises.

Incident Scorecard Details

Total AISSI Score: 7.8 / 10

Criticality = 8, The hidden MCP API allowed extensions to execute arbitrary system commands, enabling full device takeover from within the browser.

Propagation = 7, The flaw affected all Comet Browser users and leveraged preinstalled, non-removable extensions that were widely distributed.

Exploitability = 8, Researchers demonstrated that attackers could trigger the API via malicious extensions or web content with minimal technical barriers.

Supply Chain = 7, The vulnerability originated inside a browser-integrated AI toolchain outside enterprise control, exposing users through embedded vendor code.

Business Impact = 9, Attackers could deploy ransomware, exfiltrate data, or gain persistent access to user devices, severely compromising enterprise endpoints.

‍Sources

• PointGuard AI — Comet Browser MCP Flaw Enables Hijacking: Full Control of User Devices (PointGuard AI)
• Security Boulevard — Comet Browser MCP Flaw Enables Hijacking Full Control of User Devices (Security Boulevard)
• Hackread / CyberNewswire — Obscure MCP API in Comet Browser Breaches User Trust, Enabling Full Device Control via AI Browsers (Hackread)
• HelpNetSecurity — Security gap in Perplexity’s Comet browser exposed users to system-level attacks (Help Net Security)
• eSecurityPlanet — Hidden Comet Browser API Allowed Dangerous Local Command Execution (eSecurity Planet)