Early this week, AI researchers unveiled a chilling new risk. The Perplexity Comet Browser, with its MCP (Model Context Protocol) API, was found vulnerable to a class of attacks capable of granting full device control not just in theory, but in live exploitation scenarios. The prompt injection and data exfiltration techniques have been dubbed “CometJacking.”

Coming after the recent attacks on Anthropic’s Claude model, this is another example of advanced AI orchestration being used to AI risks. A single security gap in browser-embedded APIs became a fast lane to ransomware, data exfiltration, and full system takeover.

The New Reality: When Agentic Browsers Become the Attack Surface

A report from SquareX revealed a scenario where an attacker, leveraging browser-side prompt injections, XSS flaws, or malicious extensions, could escalate privileges using the MCP API. With carefully crafted payloads the attacker did not just trick the browser. They used embedded AI-driven agents to autonomously:

• Launch arbitrary system commands
• Install malware or ransomware
• Manipulate device resources
• Evade traditional endpoint protections completely

This shows us the paradigm shift: the browser is no longer a passive window. It is now an active, agentic actor on your device, empowered by AI at machine speed.

Why Existing Defenses Failed

Traditional browser security models were designed to contain threats within page sandboxes, monitor user behavior, and filter extensions. However, AI-enabled, agentic browsers invalidate these assumptions:

• Autonomous orchestration: Agentic workflows powered by APIs like MCP chain together micro-tasks at superhuman speed, hiding true intent behind innocuous-looking calls.
• Tool-calling gone rogue: Extension APIs expose vast new surfaces for exploitation. Once trusted agentic APIs are coerced, legacy security tools have no visibility or control.
• Multi-modal injection: Prompt injection, XSS, and API abuse blend social engineering and technical exploitation, operating at a scale and pace humans cannot match.

The result is clear: attackers leverage the browser as an “inside man” with keys to the kingdom, no longer limited by old-school sandboxing or human click speed.

The Critical Gap: From API Safety to Complete Environment Defense

Just as Anthropic’s incident showed that model-level guardrails are not enough, the Comet Browser event proves that:

• Agentic browser APIs need deeper, runtime defenses beyond code reviews and static checks.
• Browser extensions, MCP endpoints, and tool integrations must be treated as critical enterprise assets, not afterthoughts.
• Once an agentic workflow is breached, attackers can operate autonomously inside the enterprise perimeter.

How the Exploit Worked

Leveraging weaknesses in the MCP API, researchers simulated:

1. Injection: Using XSS or extension stomping, a script gains permission to interact with the Comet browser page.
2. MCP Abuse: The script makes orchestrated calls through the Agentic Extension or MCP API, chaining commands designed to evade detection.
3. Autonomous Execution: The workflow enchains rapid system-level actions such as exfiltrating data, encrypting files, and lateral movement at AI speed.
4. Outcome: Ransomware, data theft, and persistent backdoors are executed before traditional EDR even triggers a scan.

Solutions: What Enterprises Must Do Next

As with any paradigm shift in risk, defense in depth is essential. Here is what you must implement now:

MCP and Agentic API Hardening

• Restrict API access to authorized, context-aware components.
• Enforce strong API authentication and endpoint whitelisting.
• Eliminate or strictly lock down any non-essential API methods.

Runtime Guardrails and Behavioral Controls

• Deploy runtime behavioral analytics for all agentic browser actions.
• Audit every tool call and workflow and flag anomalous sequences.
• Trigger real-time alerts or kill-switches on suspicious MCP traffic.

Extension and Integration Security

• Conduct regular code reviews and red team tests for all extensions.
• Mandate least-privilege policies for tool integrations and agentic APIs.
• Isolate browser agentic functions in secure containers or sandboxes.

Continuous Red Teaming and Orchestration Simulation

• Run frequent simulations of cross-API, cross-extension agentic attacks.
• Adopt the attacker mindset. Probe for multi-step, chained exploit paths.
• Document, patch, and block any discovered workflow escape routes.

Holistic Zero Trust for Agentic Browsers

• Treat every agentic component including the browser, extensions, and APIs as untrusted by default.
• Implement cross-layer, policy-driven controls to block privilege escalation at every step.
• Update incident response plans for LLM or agentic browser-specific attack patterns.

The Road Ahead: AI Security is Browser Security

The Comet Browser MCP vulnerability sends a clear warning. As agentic AI becomes the engine of user productivity, it also becomes the perfect infiltration vector. Defenses must evolve to monitor, control, and harden not just the AI model, but the entire orchestration layer inside browsers and endpoint environments.

AI-powered threat actors are moving at machine speed. Our security strategies must match them.