Broader Warning for AI browsers: The disclosure is likely to deepen enterprise hesitation around AI browser adoption. Grady noted that organizations will continue treating them as unsanctioned applications until they can fully assess the tradeoffs. “Security teams should ensure corporate policy is clear, and they have the tools to enforce that policy.”SquareX’s recommendation is rather blunt. AI browsers must disclose all system-level APIs, undergo independent security audits, and give users the ability to disable embedded extensions. Without that, they warn, the industry could normalize a class of browsers that quietly hold endpoint-level authority.”Unfortunately, the MCP API is accessible by Comet’s embedded extensions by default, and there is no way to uninstall these extensions, so apart from preventing users from using Comet, the true fix can only come from Perplexity,” Adeline noted. “For extension stomping, device integrity measures can be put in place to prevent sideloading of extensions.” However, extension stomping is just one way the API can be exploited, she added.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4092995/hidden-api-in-comet-ai-browser-raises-security-red-flags-for-enterprises.html
