SquareX’s research uncovers a significant vulnerability in the Comet browser’s MCP API, enabling extensions to perform arbitrary local commands without user consent. This opens a pathway for potential exploitation through existing web vulnerabilities such as XSS and phishing. As the API is incorporated in critical extensions, users remain oblivious to their pervasive access. Despite no current misuse of the MCP API by Perplexity, the potential risk looms large if compromised. In a demonstration, SquareX showcased how malicious extensions could exploit this API, presenting a serious threat to device security.
The lack of official documentation on the MCP API promotes ambiguity regarding its implications on user safety. The hidden nature of crucial extensions prevents users from disabling them even when compromised, creating a scenario where users lose control over their device’s security. SquareX asserts that if accountability isn’t prioritized, AI browser vendors might continue to compromise user security in pursuit of innovation. SquareX is urging the implementation of disclosure and security audits for all APIs within AI browsers to prevent a cascade of security breaches within the industry.
👉 Pročitaj original: Cyber Security News
