Comet’s Hidden API: A Browser Backdoor Waiting to Happen?
SquareX’s critical research on Comet’s hidden API reveals a security nightmare lurking in the AI Browser. This secret API lets extensions execute local commands, giving them full control over users’ devices—without consent! It’s a breach of trust that reverses decades of browser security principles. The race for AI browser dominance just got riskier.
Hot Take:
Comet’s hidden API: It’s like finding a secret passage in your browser, except it leads to a dungeon full of potential security nightmares. Imagine your browser as a superhero, and then imagine it deciding one day to team up with the villains. That’s Comet with the MCP API—holy security breach, Batman! Someone better call the Justice League of cybersecurity before Comet turns into a full-blown supervillain.
Key Points:
- SquareX discovered a hidden API in Comet that can execute local commands on users’ devices.
- The MCP API allows Comet’s extensions to bypass traditional browser security measures.
- Perplexity’s embedded extensions have persistent access to this API without user consent.
- This vulnerability could lead to massive third-party risks if the API is exploited.
- SquareX is urging for transparency and third-party audits to prevent similar threats.