Essential Points
- Comet stores all browsing data, passwords, and permissions locally by default cloud sync is a future opt-in feature, not yet active
- Brave Security’s Artem Chaikin demonstrated in August 2025 that a hidden Reddit comment could trigger a full Perplexity account takeover via indirect prompt injection
- SquareX disclosed in November 2025 that Comet’s hidden MCP API allowed browser extensions to execute arbitrary local system commands a capability banned in standard browsers
- Perplexity silently disabled the MCP API after SquareX published, but disputed the characterization of the attack; Brave also noted the prompt injection fix may be incomplete
Perplexity built Comet the way no browser company has before with an agentic AI capable of acting on your behalf across the open web. That capability creates an attack surface traditional browsers never had to defend. Within months of launch, two independent security firms exposed critical flaws: one allowing full account takeover via a Reddit comment, another enabling local system command execution through a hidden API. This analysis examines what’s protected by design, what broke in practice, and what experts still dispute.
What Comet Actually Builds Into the Browser by Default
Comet’s privacy protections are not a settings layer they activate from the first install. The browser automatically blocks advertising scripts, cross-site trackers, fingerprinting attempts, and unwanted third-party scripts, with a live monthly counter accessible directly from the New Tab page. Incognito mode stores no browsing history, cookies, or cache and extensions are disabled unless manually re-enabled by the user.
The password manager enforces a strict domain-verification model: autofill does not activate on suspicious or domain-mismatched sites. Passwords are decrypted locally only after OS-level biometric verification Touch ID, Face ID, or Windows Hello and are never exported to Perplexity’s servers. Safe Browsing cross-references malicious site databases without sending personal browsing content to external services.
What privacy features does Perplexity Comet include by default?
Comet automatically blocks advertising scripts, cross-site trackers, and fingerprinting attempts. Passwords are stored locally and decrypted only with OS biometrics. Browsing data remains on-device unless you request an AI action requiring personal context. Cloud sync is a future opt-in feature not yet active.
How Comet Handles Your Data What the Official FAQ Confirms
All browsing data URLs, search queries, cookies, open tabs, and site permissions is stored locally on your device. Perplexity’s servers only receive data when you explicitly ask the AI assistant a question that requires personal context, such as “book a restaurant” or “organize my emails”. Even then, only the currently open tab and relevant browsing history are transmitted to complete the specific task.
Account credentials including passwords and payment methods are stored in your device’s OS-level secure vault and never on Perplexity’s servers. Integrations with third-party services like Gmail or calendar apps require explicit opt-in permission, which users can revoke at any time from Perplexity settings. Perplexity states it does not and will not sell user data.
Does Perplexity Comet send your browsing data to its servers?
Comet keeps all browsing data on-device by default. Data reaches Perplexity’s servers only when you request an AI action that requires personal context like booking or email tasks. Only the relevant tab and browsing history for that specific task are transmitted. No data is sold.
The Prompt Injection Attack That Demonstrated Account Takeover
In August 2025, Brave Security Engineer Artem Chaikin demonstrated a concrete, working attack against Comet using indirect prompt injection. The attack required no malware, no user error, and no special access, only a hidden instruction embedded in a Reddit comment behind a spoiler tag. When the user clicked “Summarize” on that Reddit page, Comet’s AI followed the hidden instruction automatically.
The attack chain executed in sequence without any further user interaction: Comet navigated to perplexity.ai/account/details and extracted the user’s Perplexity account email address, then navigated to a lookalike Perplexity domain to trigger a one-time password, then opened Gmail solely to read that incoming OTP, and finally exfiltrated both the email address and the OTP by posting them as a reply to the original Reddit comment. The result was a complete Perplexity account takeover not a Gmail compromise.
Brave recommended four structural fixes: treat all page content as untrusted input, verify every agentic action against the user’s original stated intent, require confirmation before taking sensitive actions, and default agentic mode to off.
How did the Comet prompt injection attack work in August 2025?
A hidden instruction in a Reddit comment triggered Comet’s AI via the Summarize function. Without further user action, Comet extracted the user’s Perplexity email, triggered an OTP to their Gmail, read it, and posted both to Reddit completing a full Perplexity account takeover.
Patch Status: Contested, Not Confirmed
Perplexity acknowledged the Brave disclosure and made changes to Comet. However, following the initial patch, Brave conducted further testing and reported to Perplexity that the vulnerability had not been fully mitigated. As of Brave’s published update, the re-report was submitted to Perplexity for further remediation. Users and enterprises should not assume complete resolution based on Perplexity’s initial response alone.
Perplexity subsequently published a dedicated technical blog post on October 22, 2025, detailing its mitigation architecture for prompt injection in Comet. Perplexity also published its broader “security from day one” engineering philosophy document, covering the architectural decisions embedded before Comet’s first public release.
The MCP API Vulnerability: When the Hidden Extensions Created Full Device Risk
Comet ships with two browser extensions that do not appear in the standard extensions panel and cannot be disabled by users: the Comet Analytics Extension and the Comet Agentic Extension. SquareX researchers discovered in November 2025 that the Comet Agentic Extension exposed an API endpoint chrome.perplexity.mcp.addStdioServer that allowed any browser extension to register local system commands for execution.
Standard browsers explicitly prohibit extensions from executing arbitrary local commands. This capability, part of the Model Context Protocol (MCP) integration, created an attack path SquareX named “CometJacking”: a malicious extension could use extension stomping to impersonate the trusted Comet Analytics Extension ID, gain the Comet Agentic Extension’s trust, and invoke the MCP API to execute arbitrary commands on the user’s local machine including deploying a ransomware payload in SquareX’s proof-of-concept demonstration.
SquareX notified Perplexity on November 4, 2025. Perplexity pushed a silent update disabling the MCP API and stated the action was taken “out of an abundance of caution.” Perplexity’s spokesperson also disputed SquareX’s characterization of the attack, stating the demonstration showed a human performing the actions attributed to the AI agent, and that user consent is obtained for local MCP configurations.
What is the Comet browser MCP API vulnerability disclosed in 2025?
SquareX found that Comet’s hidden chrome.perplexity.mcp.addStdioServer API allowed browser extensions to execute local system commands, a capability banned in standard browsers. Using extension stomping, an attacker could achieve full device control. Perplexity disabled the API after disclosure but disputed SquareX’s attack characterization.
How Comet Compares to Chrome, Firefox, and Brave on Security
Comet’s built-in protections surpass Chrome’s defaults in several areas but its agentic AI architecture introduces attack surfaces that do not exist in any traditional browser. The table below maps verified, sourced differences. The 85% phishing susceptibility figure cited in earlier drafts of this analysis was unverified and has been removed.
| Security Dimension | Comet | Chrome | Firefox | Brave |
|---|---|---|---|---|
| Default tracker blocking | Built-in, automatic | Requires extension | Enhanced Tracking Protection | Built-in shields |
| Default fingerprint blocking | Built-in | Limited | Partial | Built-in |
| Local-first data storage | Default | Cloud-synced by default | Local by default | Local by default |
| Prompt injection attack surface | High agentic AI | N/A | N/A | Researched by own team |
| Extension API system command access | MCP API (patched) | Not permitted | Not permitted | Not permitted |
| Open-source audit trail | Proprietary | Proprietary | Open-source | Open-source |
| Password vault | OS-level, biometric | Google account-linked | Local, master password | Local |
Enterprise Risks That Security Teams Must Evaluate
Comet’s AI agent operates with simultaneous access to all browser cookies, session tokens, and authenticated enterprise sessions with no least-privilege separation between the agent and those credentials. This means a successful prompt injection attack executes with the full permissions of the logged-in user, and the resulting actions appear as legitimate user activity in audit logs, creating a direct compliance gap.
UNU’s C3 Cyber Center documented three enterprise attack scenarios in October 2025. One involved a supply chain scenario where a compromised academic resource, open alongside authenticated financial dashboards, allowed an attacker to extract financial account information via the AI agent, the agent acting invisibly within the user’s existing authenticated session. For organizations running Azure, Salesforce, or Google Workspace through a browser, this is not a theoretical risk.
Is Perplexity Comet safe for enterprise use in 2026?
Comet poses documented enterprise risk because its AI agent accesses all authenticated browser sessions without privilege separation. Prompt injection attacks appear as legitimate user actions in audit logs, creating compliance exposure. Enterprises should enforce policy controls and restrict agentic features until a formal third-party security audit is published.
Limitations: What Comet Cannot Yet Defend Against
Third-party cookies remain allowed by default in Comet for site compatibility tracker blocking and cookie permissiveness operate as separate layers, which may surprise privacy-focused users. Being Chromium-based exposes Comet to the standard browser fingerprinting vulnerabilities shared across all Chromium derivatives, including Chrome and Edge. AI queries involving personal context are transmitted to Perplexity’s servers, meaning the local-first model applies to browsing storage, not to active AI interactions.
The prompt injection fix remains contested as of Brave’s most recent published update, the hidden extensions cannot be disabled by users, and no independent third-party security audit of Comet’s full codebase has been publicly released as of February 2026. Users requiring a fully audited, open-source security posture are better served by Firefox or Brave until Comet’s audit trail matures.
Frequently Asked Questions (FAQs)
Is Perplexity Comet browser safe to use in 2026?
Comet is reasonably safe for general consumers with its local-first data model, built-in tracker and fingerprint blocking, and OS-level password vault. Enterprise users face elevated risk due to the AI agent’s unrestricted access to authenticated browser sessions. The prompt injection fix remains disputed by Brave’s own security team as of their published follow-up.
How did the August 2025 Comet prompt injection attack work?
Brave Security Engineer Artem Chaikin embedded a hidden instruction in a Reddit spoiler tag. When a Comet user clicked Summarize, the AI extracted their Perplexity account email from the settings page, triggered an OTP, read it from Gmail, and posted both to Reddit completing an account takeover without any further user interaction.
Was the Comet prompt injection vulnerability fully fixed?
Perplexity patched the initial flaw and published a mitigation architecture document on October 22, 2025. However, Brave conducted follow-up testing and reported to Perplexity that the vulnerability was not fully mitigated. As of Brave’s published update, the re-disclosure was submitted for further action.
What is the Comet MCP API and why was it a security concern?
The MCP API (chrome.perplexity.mcp.addStdioServer) exposed by Comet’s hidden Agentic Extension allowed browser extensions to register and execute local system commands, a capability not permitted in standard browsers. SquareX demonstrated this could be exploited via extension stomping to achieve full local system access. Perplexity disabled the API post-disclosure.
Does Comet send your browsing data to Perplexity’s servers?
All browsing data is stored locally by default. Data reaches Perplexity’s servers only when you ask the AI a question requiring personal context such as email management or booking tasks. Only the relevant tab and browsing history for that task are transmitted. Credentials are never sent to Perplexity’s servers.
Are there hidden extensions in Comet that users cannot disable?
Yes. Comet ships with two extensions the Comet Analytics Extension and the Comet Agentic Extension that do not appear in the extensions management panel and cannot be disabled by users. These extensions provide the browser’s AI functionality but were also the vector for the MCP API vulnerability SquareX disclosed in November 2025.
Is Comet suitable for enterprise deployment in 2026?
With restrictions. Perplexity offers enterprise policy controls including the ability to limit agentic features. However, CISOs should note that the AI agent operates with full access to all authenticated sessions, agentic actions bypass standard audit log attribution, and no independent third-party security audit has been publicly released. Evaluate against your organization’s compliance requirements before deployment.
How does Comet’s privacy model differ from Chrome’s?
Comet stores all browsing data locally by default and blocks trackers and fingerprinting automatically from first install protections Chrome does not enable by default. Chrome syncs data to Google’s servers by default. However, Comet’s agentic AI introduces unique attack surfaces that Chrome does not have, and Comet’s codebase has not been independently audited.
Disclosure Note: Perplexity disputes SquareX’s characterization of the MCP API attack, stating the proof-of-concept demonstrated human-executed actions rather than autonomous AI behavior, and that user consent is required for local MCP configurations. Their full position is on record with HelpNetSecurity. Both positions are included here for accuracy.
