Experts say the discovery lands at a sensitive moment for AI browsers. John Grady, principal analyst at Omdia, said most organizations have already classified them conservatively. “Most organizations are treating them as unmanaged apps at this point in time,” he said. “It’s incredibly early, so very few, if any, organizations are adopting this as the default enterprise browser. And this finding will do nothing to change that.”
Embedded extensions have undocumented device access
SqaureX says it uncovered the MCP API while reviewing Comet’s embedded Analytics Extension, where the non-standard “chrome.perplexity” namespace suggested an addition to Chromium. Audrey Adeline from SquareX said the team identified the API directly in the extension code. “We were able to retrieve the MCP API in the Comet Analytics Extension source code.”
She added that the exploitability of the feature is surprisingly high. “The technical bar for this exploit is extremely low: extension stomping, cross-site scripting, and basic network MitM attacks are more than enough.” In a demo shared along with the disclosure, a malicious extension spoofed as Comet’s Analytics Extension injected a script into the perplexity.ai page and ultimately used the Agentic Extension to invoke the MCP API, resulting in an on-device execution of WannaCry.
