A public dispute has emerged between browser security firm SquareX and AI search engine company Perplexity regarding an alleged security vulnerability in Perplexity’s Comet browser extension. SquareX has labeled the issue a critical flaw, while Perplexity maintains it is an intended feature and not a vulnerability.

SquareX Alleges Critical Vulnerability

Vivek Ramachandran, the founder and CEO of SquareX, published a blog post and a demonstration video detailing the alleged security issue. According to Ramachandran, the vulnerability could permit a malicious website to access and exfiltrate sensitive user data from other open tabs, including content from Gmail, Google Docs, and WhatsApp Web. He characterized the issue as a “backdoor” into users’ private information. SquareX stated that it had reported its findings to Perplexity on May 17.

Perplexity’s Firm Rebuttal

Perplexity CEO Aravind Srinivas issued a strong rebuttal to SquareX’s claims, stating that the behavior described is not a security vulnerability but an intended feature. Srinivas explained that the Comet extension requests user permission to access page content upon installation to provide contextual AI-powered answers. He specified that for any data to be accessed, a user would need to be on a malicious website and then explicitly click the Comet extension button to activate it on that page. Perplexity’s engineering team also published a technical blog post to refute the claims. Srinivas asserted that no user data had been compromised, there was no backdoor, and accused the competing firm of sensationalizing the issue for marketing purposes.