Perplexity responds to Comet browser vulnerability claims, calling them “fake news” and stressing that no users are at risk. Concerns arose after cybersecurity firm SquareX suggested Comet’s MCP API could allow local command execution. Perplexity counters that the API requires developer mode, explicit consent, and manual sideloading, making the alleged threat highly unlikely.

What Did SquareX Claim About Comet Browser?

SquareX reported that Comet’s MCP API could enable attackers to run local commands via the Agentic extension. They warned that a compromise of Perplexity’s website might allow access to users’ devices. These claims sparked widespread attention among cybersecurity enthusiasts and AI browser users.

How Perplexity Refutes the Vulnerability Claims

Perplexity responded firmly, labeling the report “entirely false.” The company clarified that the MCP API is intentionally restricted: it only works with developer mode enabled, requires explicit user permission, and must be manually sideloaded. No automatic or hidden exploits are possible under normal use.

Is the Comet Browser Safe to Use?

According to Perplexity, Comet remains secure for all standard users. The browser’s design ensures that sensitive APIs cannot be triggered without user interaction. Experts note that while vigilance is always recommended, these claims do not indicate an inherent security flaw in Comet.

Why Some Security Reports May Be Misleading

Perplexity also highlighted a broader issue: “fake security research.” Misinterpretations, incomplete testing, or rushed PoC demonstrations can exaggerate perceived risks. Users are encouraged to follow official updates and verify reports from trusted sources.