Full Report
The Comet browser has an extension built in that lets an AI agent perform any browser tasks a user can. Of course, driven by prompts. Under the hood, Comet has an extension that runs in the background. It has a listener that is whitelisted for all *.perplexity.ai/* domains. With this extension, arbitrary actions can be asked to be performed. A single domain compromise or XSS would lead to a compromise then. The company markets a hacking bot. After giving it some pages, it did find a DOM XSS (so they claim). Another human researcher found a simple JavaScript URI injection vulnerability that bypasses a Cloudflare WAF. With access to the underlying API, they saw the command CALL_TOOL and RUN_IDLE_TEST. The former was a generalized tool executor while the latter took screenshots of the DOM of any page. Because this could handle file:// URIs, it could also read responses from arbitrary origins and local files. They passed the usage to Hacktron to usage CALL_TOOL to see what it could do. One of them was GetContent to read the contents of a page. They tried to escalate to RCE from this tool's context but were unsuccessful. The startAgentFromPerplexity command opened a websocket to the backend and forwarded the task information. The backend returns selectors based on the response and performs actions accordingly. Using this, they can get the browser to perform arbitrary actions. Good bug!
Analysis Summary
# Vulnerability: Perplexity Comet AI Browser UXSS and Arbitrary File Read
## CVE Details
- **CVE ID**: Not Assigned (Internal identification via Hacktron AI research)
- **CVSS Score**: 8.8 (Estimated: High/Critical)
- **CWE**: CWE-449 (The Surface of the Extension is Too Large), CWE-79 (Cross-site Scripting), CWE-200 (Exposure of Sensitive Information)
## Affected Systems
- **Products**: Perplexity Comet AI Browser
- **Versions**: Versions prior to August 20, 2025
- **Configurations**: Default configuration with the "Comet Assistant" extension enabled.
## Vulnerability Description
The vulnerability stems from a combination of architectural flaws and a specific input validation failure:
1. **Overly Broad Whitelist**: The Comet Assistant extension manifest used an `externally_connectable` rule for `https://*.perplexity.ai/*`. This permitted any subdomain under Perplexity to communicate with the background extension.
2. **SOP Bypass / UXSS**: A DOM XSS or JavaScript URI injection on a Perplexity subdomain allowed an attacker to send messages to the extension. The extension provided a `CALL_TOOL` and `RUN_IDLE_TEST` API.
3. **Local File Access**: The `RUN_IDLE_TEST` tool accepted `file://` URIs and screenshots of the DOM. Because the extension operated with elevated privileges, it could bypass the Same-Origin Policy (SOP) to read local files or content from arbitrary web origins (e.g., Gmail, internal dashboards) and return the data to the attacker-controlled script.
## Exploitation
- **Status**: PoC available; used in a responsible disclosure demonstration.
- **Complexity**: Low (once an initial XSS foothold on a subdomain is established).
- **Attack Vector**: Network (Web-based via a malicious or compromised subdomain).
## Impact
- **Confidentiality**: High (Ability to read local files and data from any website the user is logged into).
- **Integrity**: High (Ability to perform arbitrary actions like clicking buttons or changing account settings via the AI agent).
- **Availability**: Low (Primary impact is data theft and unauthorized actions).
## Remediation
### Patches
- **Perplexity Hotfix**: Released on **August 20, 2025**. Users should ensure their Comet Browser/Extension is updated to the latest version.
### Workarounds
- Disable the Comet Assistant extension if not required for daily tasks.
- Avoid browsing untrusted sites within the Comet browser until updated.
## Detection
- **Indicators of Compromise**:
- Unusual websocket connections initiated from the browser background to unknown backends.
- Presence of unexpected `chrome.runtime.sendMessage` calls to the Comet extension ID from arbitrary subdomains.
- **Detection Methods**: Reviewing browser extension logs and monitoring for unauthorized `file://` access attempts within the browser environment.
## References
- **Vendor Advisory**: hxxps[://]www[.]hacktron[.]ai/blog/perplexity-comet-uxss
- **Researcher Twitter**: hxxps[://]x[.]com/kplley (Perplexity Security Lead)
- **Tooling**: hxxps[://]www[.]hacktron[.]ai/ (Hacktron CLI for extension security scanning)