Perplexity
Company Details
Linkedin ID:
perplexity-ai
Website:
Employees number:
1,749
Number of followers:
1,260,308
NAICS:
5112
Industry Type:
Homepage:
perplexity.ai
IP Addresses:
16
Company ID:
PER_1655949
Scan Status:
Completed
Perplexity Company CyberSecurity Posture
perplexity.ai
The most powerful answer engine. Powering curiosity with answers backed by up-to-date sources. This is where knowledge begins.
Perplexity A.I CyberSecurity Scoring
Perplexity Risk Score (AI oriented)Between 700 and 749
Perplexity
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Perplexity Global Score (TPRM)XXXX
Perplexity
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Perplexity Company CyberSecurity News & History
Past Incidents
5
Attack Types
3
Perplexity AI
Breach
Rankiteo Explanation
Attack limited on finance or reputation
Description: Perplexity AI is under investigation by Amazon Web Services (AWS) for potentially breaching AWS rules by ignoring the Robots Exclusion Protocol and scraping content from websites that attempted to block its access. This protocol, which is widely respected though not legally binding, was dismissed by Perplexity as it accessed data from multiple websites including Condé Nast properties through scraping practices. Companies affected have reported unauthorized crawling by an IP address linked to Perplexity, raising concerns about data use and adherence to AWS's terms of service. As a result, the integrity and legitimacy of the content used by Perplexity's AI search service are in question, reflecting poorly on their operations.
Perplexity
Cyber Attack
Rankiteo Explanation
Attack limited on finance or reputation
Description: Cybersecurity researchers uncovered **CometJacking**, a novel **prompt injection attack** targeting Perplexity’s AI-powered browser, **Comet**. The attack exploits a malicious URL to hijack the embedded AI assistant, siphoning sensitive data—including emails, calendars, and connected services—without requiring credential theft, as the browser already has authorized access. The attack leverages **Base64 obfuscation** to bypass Perplexity’s data exfiltration protections, transmitting stolen information to an attacker-controlled endpoint in a single click. The technique weaponizes the **‘collection’ URL parameter**, tricking the AI into executing hidden prompts that extract data from the user’s linked accounts (e.g., Gmail). While Perplexity dismissed the findings as having **‘no security impact’**, the attack demonstrates how AI-native tools can **circumvent traditional defenses**, turning trusted assistants into insider threats. Researchers warn this could enable large-scale data theft if exploited in phishing campaigns, particularly in enterprise environments where AI browsers are integrated. The attack mirrors prior techniques like **Scamlexity** (2020), where browsers were manipulated into interacting with phishing pages autonomously. Experts emphasize the urgent need for **security-by-design** in AI agents to prevent prompt-based exploits from becoming widespread threats.
Perplexity (Comet AI-powered browser)
Vulnerability
Rankiteo Explanation
Attack threatening the organization’s existence
Description: SquareX researchers discovered a critical vulnerability in **Comet**, Perplexity’s AI-powered agentic browser, where hidden built-in extensions (**Comet Analytics** and **Comet Agentic**) exploit the **MCP API** to execute arbitrary commands on a user’s device. The API, accessible via Perplexity’s subdomains, could be hijacked by attackers through **XSS, MitM, or extension stomping** (spoofing the Analytics Extension’s manifest key) to deploy **ransomware**, exfiltrate data, or install malware. Though Perplexity silently patched the issue by disabling the MCP API after public disclosure, the lack of transparency and user control over these extensions poses ongoing risks. The flaw highlights how AI browsers, bypassing traditional sandboxing, expand attack surfaces by granting deep system access—potentially enabling full device takeover if exploited. Researchers warn this sets a dangerous precedent for AI-driven software prioritizing innovation over security boundaries.
Perplexity
Vulnerability
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Perplexity’s AI-powered browser **Comet** was exposed to **HashJack**, a critical indirect prompt injection vulnerability exploiting URL fragments (after the ‘#’ symbol) to execute hidden malicious instructions. The flaw allowed threat actors to bypass traditional security systems—such as server logs, network monitoring, and content security policies—by embedding deceptive prompts (e.g., callback phishing, data exfiltration, misinformation, malware guidance, medical harm, and credential theft) that appeared as legitimate AI-generated responses. Users were tricked into divulging sensitive financial/personal data, installing backdoors, or following harmful medical advice, all while the attack remained undetected due to client-side processing of URL fragments.Perplexity initially dismissed the report but later classified it as **critical severity (P1)**, deploying fixes by **November 18, 2025**. The incident highlights systemic risks in AI browsers, where LLM susceptibility to prompt injection and flawed URL-handling design enable large-scale deception, financial fraud, and operational disruptions. The attack’s stealth and automation potential—particularly in agentic browsers—posed severe reputational, financial, and trust-based damages, with long-term implications for user safety and regulatory compliance.
Perplexity (Comet Browser)
Vulnerability
Rankiteo Explanation
Attack threatening the organization's existence
Description: Cybersecurity researchers at SquareX uncovered a critical **vulnerability** in **Comet**, Perplexity’s AI-powered browser, tied to a hidden **MCP API** (chrome.perplexity.mcp.addStdioServer) within the **Agentic extension**. This API allows arbitrary local command execution on users' devices—a capability explicitly banned in traditional browsers like Chrome or Firefox. The flaw stems from weak security controls, exposing users to **full device takeover** if attackers compromise **perplexity.ai** via methods like **XSS, phishing, or insider threats**. SquareX demonstrated the risk by spoofing a malicious extension, injecting a script into perplexity.ai, and leveraging the MCP API to execute **WannaCry ransomware**. The vulnerability creates a **catastrophic third-party risk**, where users’ security depends entirely on Perplexity’s defenses, with no mitigation options. The researchers warned that exploitation is inevitable, given the browser’s deviation from decades of established security principles. A single breach of Perplexity’s infrastructure could grant attackers **unprecedented control** over all Comet users’ devices, enabling large-scale malware deployment, data theft, or system hijacking.
Perplexity Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Perplexity
Incidents vs Software Development Industry Average (This Year)
Perplexity has 581.82% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
Perplexity has 368.75% more incidents than the average of all companies with at least one recorded incident.
Incident Types Perplexity vs Software Development Industry Avg (This Year)
Perplexity reported 3 incidents this year: 0 cyber attacks, 0 ransomware, 3 vulnerabilities, 0 data breaches, compared to industry peers with at least 1 incident.
Incident History — Perplexity (X = Date, Y = Severity)
Perplexity cyber incidents detection timeline including parent company and subsidiaries
Perplexity Company Subsidiaries
The most powerful answer engine. Powering curiosity with answers backed by up-to-date sources. This is where knowledge begins.
Loading...
Perplexity Similar Companies
Xiaomi Technology
Xiaomi Corporation was founded in April 2010 and listed on the Main Board of the Hong Kong Stock Exchange on July 9, 2018 (1810.HK). Xiaomi is a consumer electronics and smart manufacturing company with smartphones and smart hardware connected by an IoT platform at its core. Embracing our vision
Siemens Digital Industries Software
We help organizations of all sizes digitally transform using software, hardware and services from the Siemens Xcelerator business platform. Our software and the comprehensive digital twin enable companies to optimize their design, engineering and manufacturing processes to turn today's ideas into th
Amazon is guided by four principles: customer obsession rather than competitor focus, passion for invention, commitment to operational excellence, and long-term thinking. We are driven by the excitement of building technologies, inventing products, and providing services that change lives. We embrac
VMware by Broadcom delivers software that unifies and streamlines hybrid cloud environments for the world’s most complex organizations. By combining public-cloud scale and agility with private-cloud security and performance, we empower our customers to modernize, optimize and protect their apps an
Snowflake
**Snowflake is proud to be the Official Data Collaboration Provider for LA28 and Team USA.** Snowflake delivers the AI Data Cloud — a global network where thousands of organizations mobilize data with near-unlimited scale, concurrency, and performance. Inside the AI Data Cloud, organizations unite
Cadence
Cadence is a market leader in AI and digital twins, pioneering the application of computational software to accelerate innovation in the engineering design of silicon to systems. Our design solutions, based on Cadence’s Intelligent System Design™ strategy, are essential for the world’s leading semic
TOTVS
Olá, somos a TOTVS! A maior empresa de tecnologia do Brasil. 🤓 Líder absoluta em sistemas e plataformas para empresas, a TOTVS possui mais de 70 mil clientes. Indo muito além do ERP, oferece tecnologia completa para digitalização dos negócios por meio de 3 unidades de negócio: - Gestão: ERPs, sol
The Bosch Group is a leading global supplier of technology and services. It employs roughly 417,900 associates worldwide (as of December 31, 2024). According to preliminary figures, the company generated sales of 90.5 billion euros in 2024. Its operations are divided into four business sectors: Mobi
Zoho
Zoho offers beautifully smart software to help you grow your business. With over 100 million users worldwide, Zoho's 55+ products aid your sales and marketing, support and collaboration, finance, and recruitment needs—letting you focus only on your business. Zoho respects user privacy and does not h
.png)
Perplexity CyberSecurity News
November 23, 2025 01:32 PM
Perplexity AI's Comet Browser: RCE Vulnerability Debate Intensifies
Perplexity AI is in hot water over alleged security vulnerabilities in its Comet browser, including a supposed RCE flaw.
November 23, 2025 10:03 AM
Perplexity responds to Comet browser vulnerability claims, argues "fake news"
SquareX accused Perplexity's Comet browser of exposing a hidden MCP API that could enable local command execution; Perplexity rejected the...
November 20, 2025 07:05 PM
Perplexity Comet AI Browser Exposed to Severe Security Flaws and Hacking Risks
In the rapidly evolving landscape of artificial intelligence, Perplexity's Comet browser promised a revolutionary way to navigate the...
November 20, 2025 06:32 PM
Perplexity's Comet AI browser may have some concerning security flaws which could let hacker hijack your device
When you buy through links on our articles, Future and its syndication partners may earn a commission. Abstract image of cyber security in...
November 20, 2025 04:13 AM
GSA, Perplexity Strike 'First' Direct-To-Gov't AI Deal
The U.S. General Services Administration struck a "first-of-its-kind" direct deal with Perplexity to provide federal agencies access to the...
November 19, 2025 09:28 PM
Perplexity to Add Agentic Shopping to Its Search Engine
Perplexity has a new partnership with the U.S. government and will roll out a free agentic AI shopping product for U.S. users.
November 19, 2025 02:37 PM
GSA Announces OneGov Deal With Perplexity to Accelerate AI Adoption
The General Services Administration (GSA) announced on Wednesday a OneGov agreement with artificial intelligence (AI) company Perplexity...
November 11, 2025 08:00 AM
Perplexity Comet AI Browser: Early access available for Android
Perplexity AI Comet Browser: Android launch coming soon with early access for Pro and Max users; new AI features enhance productivity and...
November 11, 2025 06:02 AM
AI: Perplexity's sharp elbows. RTZ #902
I've discussed often how Perplexity continues to punch above its weight amongst the leading LLM AI players this AI Tech Wave .
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Perplexity CyberSecurity History Information
Official Website of Perplexity
The official website of Perplexity is https://www.perplexity.ai.
Perplexity’s AI-Generated Cybersecurity Score
According to Rankiteo, Perplexity’s AI-generated cybersecurity score is 726, reflecting their Moderate security posture.
How many security badges does Perplexity’ have ?
According to Rankiteo, Perplexity currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Perplexity have SOC 2 Type 1 certification ?
According to Rankiteo, Perplexity is not certified under SOC 2 Type 1.
Does Perplexity have SOC 2 Type 2 certification ?
According to Rankiteo, Perplexity does not hold a SOC 2 Type 2 certification.
Does Perplexity comply with GDPR ?
According to Rankiteo, Perplexity is not listed as GDPR compliant.
Does Perplexity have PCI DSS certification ?
According to Rankiteo, Perplexity does not currently maintain PCI DSS compliance.
Does Perplexity comply with HIPAA ?
According to Rankiteo, Perplexity is not compliant with HIPAA regulations.
Does Perplexity have ISO 27001 certification ?
According to Rankiteo,Perplexity is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Perplexity
Perplexity operates primarily in the Software Development industry.
Number of Employees at Perplexity
Perplexity employs approximately 1,749 people worldwide.
Subsidiaries Owned by Perplexity
Perplexity presently has no subsidiaries across any sectors.
Perplexity’s LinkedIn Followers
Perplexity’s official LinkedIn profile has approximately 1,260,308 followers.
NAICS Classification of Perplexity
Perplexity is classified under the NAICS code 5112, which corresponds to Software Publishers.
Perplexity’s Presence on Crunchbase
No, Perplexity does not have a profile on Crunchbase.
Perplexity’s Presence on LinkedIn
Yes, Perplexity maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/perplexity-ai.
Cybersecurity Incidents Involving Perplexity
As of November 27, 2025, Rankiteo reports that Perplexity has experienced 5 cybersecurity incidents.
Number of Peer and Competitor Companies
Perplexity has an estimated 26,565 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Perplexity ?
Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability, Cyber Attack and Breach.
How does Perplexity detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an third party assistance with layerx (research disclosure), third party assistance with guardio labs (prior research reference), and communication strategy with public disclosure via the hacker news, communication strategy with statements by layerx researchers, and enhanced monitoring with urgent evaluation of controls for malicious agent prompts (recommended), and incident response plan activated with yes (silent patch deployed post-disclosure), and third party assistance with squarex (research/disclosure), and containment measures with disabled mcp api via silent update, and communication strategy with limited (no public documentation of patch; researchers notified on 2025-11-04, no response until post-publication), and third party assistance with squarex (research/disclosure), and communication strategy with media outreach (techradar), communication strategy with pending response from perplexity, and entity with microsoft, status with acknowledged (2025-08-20), fix date with 2025-10-27, entity with google, status with classified as 'intended behavior' (low severity, 2025-10-03), fix date with none, entity with perplexity, status with initially dismissed; later triaged as critical (p1, 2025-10-10), fix date with 2025-11-18, and third party assistance with cato ctrl (security research), and remediation measures with microsoft: patch released (2025-10-27), remediation measures with perplexity: fixes applied (2025-11-18), remediation measures with google: no remediation (ongoing as of 2025-11-25), and enhanced monitoring with fragment inspection in ai context windows (proposed)..
Incident Details
Can you provide details on each incident ?
Title: Perplexity AI Investigation for Breaching AWS Rules
Description: Perplexity AI is under investigation by Amazon Web Services (AWS) for potentially breaching AWS rules by ignoring the Robots Exclusion Protocol and scraping content from websites that attempted to block its access. This protocol, which is widely respected though not legally binding, was dismissed by Perplexity as it accessed data from multiple websites including Condé Nast properties through scraping practices. Companies affected have reported unauthorized crawling by an IP address linked to Perplexity, raising concerns about data use and adherence to AWS's terms of service. As a result, the integrity and legitimacy of the content used by Perplexity's AI search service are in question, reflecting poorly on their operations.
Type: Data Scraping
Attack Vector: Web Scraping
Vulnerability Exploited: Ignoring Robots Exclusion Protocol
Threat Actor: Perplexity AI
Motivation: Data Collection
Title: CometJacking Attack Targeting Perplexity's AI Browser Comet
Description: Cybersecurity researchers disclosed a new attack called CometJacking targeting Perplexity's agentic AI browser Comet. The attack embeds malicious prompts within a seemingly innocuous link to siphon sensitive data from connected services like email and calendar. The attack hijacks the AI assistant embedded in the browser to steal data while bypassing Perplexity's data protections using trivial Base64-encoding tricks. It does not involve credential theft, as the browser already has authorized access to services like Gmail and Calendar. The attack activates when a victim clicks a specially crafted URL, which instructs the Comet browser's AI to execute a hidden prompt that captures and exfiltrates user data to an attacker-controlled endpoint.
Type: Prompt Injection
Attack Vector: Malicious URLPhishing EmailWeb Page
Vulnerability Exploited: AI Agent Memory AccessBase64 Obfuscation BypassURL Parameter Manipulation (collection)
Motivation: Data TheftUnauthorized Data AccessExploitation of AI Tools
Title: Comet Browser MCP API Vulnerability Exposes Users to Arbitrary Command Execution
Description: SquareX researchers discovered a critical security flaw in Comet, Perplexity's AI-powered agentic browser. The browser's hidden built-in extensions (Comet Analytics and Comet Agentic) leverage the MCP API (chrome.perplexity.mcp.addStdioServer) to execute arbitrary commands on the host machine. Attackers exploiting this via XSS, MitM, or extension stomping could install malware, exfiltrate data, or deploy ransomware. The MCP API was silently disabled in a post-disclosure update, but concerns remain about transparency and potential reactivation.
Date Detected: 2025-11-04
Date Publicly Disclosed: 2025-11-19
Date Resolved: 2025-11-19
Type: Vulnerability
Attack Vector: Cross-Site Scripting (XSS)Man-in-the-Middle (MitM)Extension Stomping (Manifest Key Spoofing)Domain Compromise (perplexity.ai subdomains)
Vulnerability Exploited: MCP API (chrome.perplexity.mcp.addStdioServer) in hidden Comet extensions (Comet Analytics/Comet Agentic)
Title: Hidden MCP API in Comet Browser Enabling Arbitrary Local Command Execution
Description: SquareX discovered a major vulnerability in Comet, the AI browser built by Perplexity, which could allow threat actors to take over a victim’s device entirely. The browser contains a hidden API (named MCP API: chrome.perplexity.mcp.addStdioServer) capable of executing arbitrary local commands on users’ devices—a capability explicitly prohibited by traditional browsers. The vulnerability resides in the Agentic extension, which can be triggered via the perplexity.ai site. A compromise of Perplexity’s site (e.g., via XSS, phishing, or insider threat) could grant attackers control over all Comet users' devices. SquareX demonstrated this by spoofing a legitimate extension, sideloading it, and executing WannaCry via the MCP API. Researchers warn of catastrophic third-party risk due to users' reliance on Perplexity's security posture.
Type: Vulnerability Exploitation
Attack Vector: Malicious Extension (Extension Stomping)Cross-Site Scripting (XSS)Man-in-the-Middle (MitM) AttackPhishing (Perplexity Employee Targeting)Insider Threat
Vulnerability Exploited: Hidden MCP API (chrome.perplexity.mcp.addStdioServer) in Agentic Extension (Arbitrary Local Command Execution)
Title: HashJack: Indirect Prompt Injection Exploit in AI-Powered Browsers
Description: A newly discovered indirect prompt injection technique called HashJack exploits a critical design flaw in AI-powered browsers (e.g., Perplexity’s Comet, Microsoft Edge Copilot, Google’s Gemini for Chrome). Threat actors conceal malicious instructions after the ‘#’ symbol in legitimate URLs, which are executed by AI assistants without detection by traditional security systems. The attack leverages URL fragments (client-side only) to bypass server logs, network monitoring, and content security policies. Six attack scenarios were identified, including callback phishing, data exfiltration, misinformation, malware guidance, medical harm, and credential theft.
Date Publicly Disclosed: 2025-08-20
Type: Prompt Injection
Attack Vector: Malicious URL Fragments (Post-‘#’)AI Assistant Context PoisoningClient-Side Execution
Vulnerability Exploited: AI Browser Design Flaw (Fragment Inclusion in Context)LLM Susceptibility to Prompt InjectionLack of Fragment Inspection in Security Tools
Motivation: Financial GainData TheftMisinformationCredential HarvestingMalware DistributionMedical Harm
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Vulnerability.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Web Scraping, Malicious URL (Phishing Email or Web Page), Comet Analytics/Comet Agentic extensions (hidden)perplexity.ai subdomains, Compromised perplexity.ai siteMalicious Extension (Agentic)XSS/Phishing/Insider Threat and Malicious URL Fragments (Post-‘#’) in Legitimate Websites.
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Scraping PER449070624
Data Compromised: Website content
Operational Impact: Questionable Integrity and Legitimacy of AI Search Service
Brand Reputation Impact: Poor Reflection on Operations
Incident : Prompt Injection PER1592715100425
Data Compromised: Email data, Calendar data, Connected service data
Systems Affected: Perplexity Comet AI Browser
Brand Reputation Impact: Potential Erosion of Trust in AI Tools
Incident : Vulnerability PER2892328112025
Data Compromised: Local files, System data, User activity logs (potential)
Systems Affected: Comet Browser (AI-powered agentic browser by Perplexity)
Operational Impact: Potential loss of user trust; silent patch may affect undisclosed agentic workflows relying on MCP API
Brand Reputation Impact: High (security community scrutiny; concerns over transparency and user consent)
Identity Theft Risk: High (if attackers exfiltrate local files/PII)
Incident : Vulnerability Exploitation PER2362223112125
Systems Affected: Comet Browser (All User Devices)Underlying Operating Systems
Operational Impact: Full device takeover risk for all Comet users via Perplexity site compromise
Brand Reputation Impact: High (Catastrophic third-party risk exposure, reversal of browser security principles)
Incident : Prompt Injection PER3034930112625
Data Compromised: Sensitive financial data, Personal data, Credentials
Systems Affected: AI-Powered Browsers (Perplexity Comet, Microsoft Edge Copilot, Google Gemini for Chrome)User DevicesIoT Devices (via Malware Guidance)
Operational Impact: Automated Data ExfiltrationUnauthorized AI Assistant ActionsUser Trust Erosion
Brand Reputation Impact: High (Due to AI Manipulation and Undetectable Attacks)
Identity Theft Risk: ['High (Via Credential Theft and PII Exposure)']
Payment Information Risk: ['High (Financial Data Exfiltration)']
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Website Content, Email Data, Calendar Data, Connector Service Data, , Local System Files, Potential Pii (If Exfiltrated), , Financial Data, Personal Data, Credentials, Medical Information (Via Misinformation), Iot Device Access and .
Which entities were affected by each incident ?
Incident : Prompt Injection PER1592715100425
Entity Name: Perplexity AI
Entity Type: Technology Company
Industry: AI/ML, Search & Browser Services
Incident : Vulnerability PER2892328112025
Entity Name: Perplexity AI (Comet Browser)
Entity Type: Technology Company
Industry: AI/Software
Customers Affected: All Comet Browser users (exact number undisclosed)
Incident : Vulnerability Exploitation PER2362223112125
Entity Name: Perplexity AI
Entity Type: Organization
Industry: AI/Technology (Browser Development)
Customers Affected: All Comet Browser Users
Incident : Prompt Injection PER3034930112625
Entity Name: Microsoft
Entity Type: Corporation
Industry: Technology
Location: Redmond, Washington, USA
Size: Large
Customers Affected: Users of Microsoft Edge Copilot
Incident : Prompt Injection PER3034930112625
Entity Name: Google
Entity Type: Corporation
Industry: Technology
Location: Mountain View, California, USA
Size: Large
Customers Affected: Users of Google Gemini for Chrome
Incident : Prompt Injection PER3034930112625
Entity Name: Perplexity AI
Entity Type: Corporation
Industry: AI/Technology
Location: San Francisco, California, USA
Size: Medium
Customers Affected: Users of Perplexity Comet
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Prompt Injection PER1592715100425
Third Party Assistance: Layerx (Research Disclosure), Guardio Labs (Prior Research Reference).
Communication Strategy: Public Disclosure via The Hacker NewsStatements by LayerX Researchers
Enhanced Monitoring: Urgent Evaluation of Controls for Malicious Agent Prompts (Recommended)
Incident : Vulnerability PER2892328112025
Incident Response Plan Activated: Yes (silent patch deployed post-disclosure)
Third Party Assistance: Squarex (Research/Disclosure).
Containment Measures: Disabled MCP API via silent update
Communication Strategy: Limited (no public documentation of patch; researchers notified on 2025-11-04, no response until post-publication)
Incident : Vulnerability Exploitation PER2362223112125
Third Party Assistance: Squarex (Research/Disclosure).
Communication Strategy: Media Outreach (TechRadar)Pending Response from Perplexity
Incident : Prompt Injection PER3034930112625
Incident Response Plan Activated: [{'entity': 'Microsoft', 'status': 'Acknowledged (2025-08-20)', 'fix_date': '2025-10-27'}, {'entity': 'Google', 'status': "Classified as 'Intended Behavior' (Low Severity, 2025-10-03)", 'fix_date': None}, {'entity': 'Perplexity', 'status': 'Initially Dismissed; Later Triaged as Critical (P1, 2025-10-10)', 'fix_date': '2025-11-18'}]
Third Party Assistance: Cato Ctrl (Security Research).
Remediation Measures: Microsoft: Patch Released (2025-10-27)Perplexity: Fixes Applied (2025-11-18)Google: No Remediation (Ongoing as of 2025-11-25)
Enhanced Monitoring: Fragment Inspection in AI Context Windows (Proposed)
What is the company's incident response plan?
Incident Response Plan: The company's incident response plan is described as Yes (silent patch deployed post-disclosure), entity: Microsoft, status: Acknowledged (2025-08-20), fix_date: 2025-10-27, entity: Google, status: Classified as 'Intended Behavior' (Low Severity, 2025-10-03), entity: Perplexity, status: Initially Dismissed; Later Triaged as Critical (P1, 2025-10-10), fix_date: 2025-11-18, .
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through LayerX (Research Disclosure), Guardio Labs (Prior Research Reference), , SquareX (research/disclosure), , SquareX (Research/Disclosure), , Cato CTRL (Security Research), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Scraping PER449070624
Type of Data Compromised: Website Content
Incident : Prompt Injection PER1592715100425
Type of Data Compromised: Email data, Calendar data, Connector service data
Sensitivity of Data: High (Authorized Access to Connected Services)
Data Exfiltration: Base64-Encoded Data Transmitted to Attacker-Controlled Endpoint
Data Encryption: ['Bypassed via Obfuscation (Base64)']
Personally Identifiable Information: Potential (Depending on Connected Services)
Incident : Vulnerability PER2892328112025
Type of Data Compromised: Local system files, Potential pii (if exfiltrated)
Sensitivity of Data: High (local device access)
Data Exfiltration: Potential (demonstrated in attack scenario)
Personally Identifiable Information: Potential (if attackers leverage API to access local files)
Incident : Prompt Injection PER3034930112625
Type of Data Compromised: Financial data, Personal data, Credentials, Medical information (via misinformation), Iot device access
Sensitivity of Data: High
Data Exfiltration: Automated (via Agentic Browsers like Comet)
Personally Identifiable Information: CredentialsFinancial RecordsPersonal Details
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Microsoft: Patch Released (2025-10-27), Perplexity: Fixes Applied (2025-11-18), Google: No Remediation (Ongoing as of 2025-11-25), .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by disabled mcp api via silent update and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : Vulnerability PER2892328112025
Data Encryption: Demonstrated in hypothetical attack (malicious extension invoking MCP API to execute ransomware)
Data Exfiltration: Potential (as part of ransomware attack chain)
Incident : Vulnerability Exploitation PER2362223112125
Ransomware Strain: WannaCry (Demo Only)
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Prompt Injection PER1592715100425
Lessons Learned: AI-native browsers introduce new security risks that bypass traditional defenses., Trivial obfuscation (e.g., Base64) can circumvent data exfiltration checks in AI tools., Malicious prompts in URLs can weaponize AI agents with existing authorized access., Security-by-design is critical for AI agent prompts and memory access, not just page content.
Incident : Vulnerability PER2892328112025
Lessons Learned: AI browsers break traditional sandboxing models, increasing attack surface., Hidden extensions with privileged APIs pose transparency risks., Silent patches without disclosure erode user trust., Industry needs boundaries for AI browser capabilities to avoid bypassing security principles.
Incident : Vulnerability Exploitation PER2362223112125
Lessons Learned: Adherence to established browser security principles (e.g., Chrome, Safari, Firefox) is critical to prevent arbitrary command execution. Third-party dependencies (e.g., perplexity.ai site) can introduce catastrophic risks if compromised. Custom APIs with elevated privileges must undergo rigorous security reviews.
Incident : Prompt Injection PER3034930112625
Lessons Learned: AI browsers must exclude URL fragments from LLM context to prevent prompt injection., Client-side-only attacks evade traditional security tools, requiring new detection frameworks., User trust in AI assistants can be exploited via seemingly legitimate URLs., Proactive security research is critical for emerging AI-driven attack surfaces.
What recommendations were made to prevent future incidents ?
Incident : Prompt Injection PER1592715100425
Recommendations: Implement controls to detect and neutralize malicious agent prompts in AI browsers., Evaluate and harden AI tool integrations with connected services (e.g., Gmail, Calendar)., Monitor for weaponized URLs targeting AI-native tools in phishing campaigns., Adopt security-by-design principles for AI memory access and prompt execution.Implement controls to detect and neutralize malicious agent prompts in AI browsers., Evaluate and harden AI tool integrations with connected services (e.g., Gmail, Calendar)., Monitor for weaponized URLs targeting AI-native tools in phishing campaigns., Adopt security-by-design principles for AI memory access and prompt execution.Implement controls to detect and neutralize malicious agent prompts in AI browsers., Evaluate and harden AI tool integrations with connected services (e.g., Gmail, Calendar)., Monitor for weaponized URLs targeting AI-native tools in phishing campaigns., Adopt security-by-design principles for AI memory access and prompt execution.Implement controls to detect and neutralize malicious agent prompts in AI browsers., Evaluate and harden AI tool integrations with connected services (e.g., Gmail, Calendar)., Monitor for weaponized URLs targeting AI-native tools in phishing campaigns., Adopt security-by-design principles for AI memory access and prompt execution.
Incident : Vulnerability PER2892328112025
Recommendations: Disable local MCP API permanently or restrict to minimal necessary functionality., Inform users about privileged extensions and provide opt-out mechanisms., Document all high-risk APIs and their intended use cases., Implement public vulnerability disclosure processes., Conduct third-party security audits for AI-powered browsers.Disable local MCP API permanently or restrict to minimal necessary functionality., Inform users about privileged extensions and provide opt-out mechanisms., Document all high-risk APIs and their intended use cases., Implement public vulnerability disclosure processes., Conduct third-party security audits for AI-powered browsers.Disable local MCP API permanently or restrict to minimal necessary functionality., Inform users about privileged extensions and provide opt-out mechanisms., Document all high-risk APIs and their intended use cases., Implement public vulnerability disclosure processes., Conduct third-party security audits for AI-powered browsers.Disable local MCP API permanently or restrict to minimal necessary functionality., Inform users about privileged extensions and provide opt-out mechanisms., Document all high-risk APIs and their intended use cases., Implement public vulnerability disclosure processes., Conduct third-party security audits for AI-powered browsers.Disable local MCP API permanently or restrict to minimal necessary functionality., Inform users about privileged extensions and provide opt-out mechanisms., Document all high-risk APIs and their intended use cases., Implement public vulnerability disclosure processes., Conduct third-party security audits for AI-powered browsers.
Incident : Vulnerability Exploitation PER2362223112125
Recommendations: Disable or remove the MCP API in Comet Browser immediately., Implement strict sandboxing for extensions to prevent arbitrary command execution., Conduct third-party security audits for perplexity.ai and embedded extensions., Enforce multi-factor authentication (MFA) for Perplexity employees to mitigate phishing risks., Monitor for extension stomping, XSS, and MitM attacks targeting the Agentic extension., Provide users with transparency tools to assess and mitigate third-party risks.Disable or remove the MCP API in Comet Browser immediately., Implement strict sandboxing for extensions to prevent arbitrary command execution., Conduct third-party security audits for perplexity.ai and embedded extensions., Enforce multi-factor authentication (MFA) for Perplexity employees to mitigate phishing risks., Monitor for extension stomping, XSS, and MitM attacks targeting the Agentic extension., Provide users with transparency tools to assess and mitigate third-party risks.Disable or remove the MCP API in Comet Browser immediately., Implement strict sandboxing for extensions to prevent arbitrary command execution., Conduct third-party security audits for perplexity.ai and embedded extensions., Enforce multi-factor authentication (MFA) for Perplexity employees to mitigate phishing risks., Monitor for extension stomping, XSS, and MitM attacks targeting the Agentic extension., Provide users with transparency tools to assess and mitigate third-party risks.Disable or remove the MCP API in Comet Browser immediately., Implement strict sandboxing for extensions to prevent arbitrary command execution., Conduct third-party security audits for perplexity.ai and embedded extensions., Enforce multi-factor authentication (MFA) for Perplexity employees to mitigate phishing risks., Monitor for extension stomping, XSS, and MitM attacks targeting the Agentic extension., Provide users with transparency tools to assess and mitigate third-party risks.Disable or remove the MCP API in Comet Browser immediately., Implement strict sandboxing for extensions to prevent arbitrary command execution., Conduct third-party security audits for perplexity.ai and embedded extensions., Enforce multi-factor authentication (MFA) for Perplexity employees to mitigate phishing risks., Monitor for extension stomping, XSS, and MitM attacks targeting the Agentic extension., Provide users with transparency tools to assess and mitigate third-party risks.Disable or remove the MCP API in Comet Browser immediately., Implement strict sandboxing for extensions to prevent arbitrary command execution., Conduct third-party security audits for perplexity.ai and embedded extensions., Enforce multi-factor authentication (MFA) for Perplexity employees to mitigate phishing risks., Monitor for extension stomping, XSS, and MitM attacks targeting the Agentic extension., Provide users with transparency tools to assess and mitigate third-party risks.
Incident : Prompt Injection PER3034930112625
Recommendations: Exclude URL fragments from AI assistant context windows., Implement client-side monitoring for malicious prompt execution., Educate users on the risks of AI-generated suggestions from untrusted sources., Develop standardized security frameworks for AI-powered browsers., Enhance collaboration between AI vendors and security researchers.Exclude URL fragments from AI assistant context windows., Implement client-side monitoring for malicious prompt execution., Educate users on the risks of AI-generated suggestions from untrusted sources., Develop standardized security frameworks for AI-powered browsers., Enhance collaboration between AI vendors and security researchers.Exclude URL fragments from AI assistant context windows., Implement client-side monitoring for malicious prompt execution., Educate users on the risks of AI-generated suggestions from untrusted sources., Develop standardized security frameworks for AI-powered browsers., Enhance collaboration between AI vendors and security researchers.Exclude URL fragments from AI assistant context windows., Implement client-side monitoring for malicious prompt execution., Educate users on the risks of AI-generated suggestions from untrusted sources., Develop standardized security frameworks for AI-powered browsers., Enhance collaboration between AI vendors and security researchers.Exclude URL fragments from AI assistant context windows., Implement client-side monitoring for malicious prompt execution., Educate users on the risks of AI-generated suggestions from untrusted sources., Develop standardized security frameworks for AI-powered browsers., Enhance collaboration between AI vendors and security researchers.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are AI-native browsers introduce new security risks that bypass traditional defenses.,Trivial obfuscation (e.g., Base64) can circumvent data exfiltration checks in AI tools.,Malicious prompts in URLs can weaponize AI agents with existing authorized access.,Security-by-design is critical for AI agent prompts and memory access, not just page content.AI browsers break traditional sandboxing models, increasing attack surface.,Hidden extensions with privileged APIs pose transparency risks.,Silent patches without disclosure erode user trust.,Industry needs boundaries for AI browser capabilities to avoid bypassing security principles.Adherence to established browser security principles (e.g., Chrome, Safari, Firefox) is critical to prevent arbitrary command execution. Third-party dependencies (e.g., perplexity.ai site) can introduce catastrophic risks if compromised. Custom APIs with elevated privileges must undergo rigorous security reviews.AI browsers must exclude URL fragments from LLM context to prevent prompt injection.,Client-side-only attacks evade traditional security tools, requiring new detection frameworks.,User trust in AI assistants can be exploited via seemingly legitimate URLs.,Proactive security research is critical for emerging AI-driven attack surfaces.
References
Where can I find more information about each incident ?
Incident : Prompt Injection PER1592715100425
Source: The Hacker News
Incident : Prompt Injection PER1592715100425
Source: LayerX Research (Michelle Levy, Head of Security Research)
Incident : Prompt Injection PER1592715100425
Source: Guardio Labs (Scamlexity Attack Technique, August 2020)
Incident : Vulnerability PER2892328112025
Source: Help Net Security
URL: https://www.helpnetsecurity.com/
Date Accessed: 2025-11-19
Incident : Vulnerability Exploitation PER2362223112125
Source: TechRadar
Incident : Prompt Injection PER3034930112625
Source: Cato CTRL Security Research
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: The Hacker News, and Source: LayerX Research (Michelle Levy, Head of Security Research), and Source: Guardio Labs (Scamlexity Attack Technique, August 2020), and Source: Help Net SecurityUrl: https://www.helpnetsecurity.com/Date Accessed: 2025-11-19, and Source: SquareX Research ReportDate Accessed: 2025-11-19, and Source: TechRadarUrl: https://www.techradar.com/news/squarex-discovered-hidden-mcp-api-in-comet-browser-enabling-arbitrary-local-command-execution, and Source: Cato CTRL Security Research.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Data Scraping PER449070624
Investigation Status: Ongoing
Incident : Prompt Injection PER1592715100425
Investigation Status: Disclosed by Third-Party Researchers (LayerX); Perplexity Classified as 'No Security Impact'
Incident : Vulnerability PER2892328112025
Investigation Status: Partially Resolved (MCP API disabled; long-term fixes pending)
Incident : Vulnerability Exploitation PER2362223112125
Investigation Status: Ongoing (Pending Response from Perplexity)
Incident : Prompt Injection PER3034930112625
Investigation Status: [{'entity': 'Microsoft', 'status': 'Resolved (2025-10-27)'}, {'entity': 'Google', 'status': 'Unresolved (Ongoing as of 2025-11-25)'}, {'entity': 'Perplexity', 'status': 'Resolved (2025-11-18)'}]
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public Disclosure Via The Hacker News, Statements By Layerx Researchers, Limited (no public documentation of patch; researchers notified on 2025-11-04, no response until post-publication), Media Outreach (Techradar) and Pending Response From Perplexity.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Prompt Injection PER3034930112625
Customer Advisories: Users advised to avoid clicking AI-generated links from untrusted URLs.Recommend disabling AI assistant features in browsers until patches are applied (for Google Gemini).
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Users Advised To Avoid Clicking Ai-Generated Links From Untrusted Urls., Recommend Disabling Ai Assistant Features In Browsers Until Patches Are Applied (For Google Gemini). and .
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Data Scraping PER449070624
Entry Point: Web Scraping
Incident : Prompt Injection PER1592715100425
Entry Point: Malicious Url (Phishing Email Or Web Page),
High Value Targets: Connected Services (Gmail, Calendar, Etc.),
Data Sold on Dark Web: Connected Services (Gmail, Calendar, Etc.),
Incident : Vulnerability PER2892328112025
Entry Point: Comet Analytics/Comet Agentic Extensions (Hidden), Perplexity.Ai Subdomains,
Backdoors Established: Potential (via MCP API persistence)
High Value Targets: Local System Files, User Credentials, Installed Applications,
Data Sold on Dark Web: Local System Files, User Credentials, Installed Applications,
Incident : Vulnerability Exploitation PER2362223112125
Entry Point: Compromised Perplexity.Ai Site, Malicious Extension (Agentic), Xss/Phishing/Insider Threat,
Backdoors Established: MCP API (chrome.perplexity.mcp.addStdioServer)
High Value Targets: All Comet Browser Users' Devices
Data Sold on Dark Web: All Comet Browser Users' Devices
Incident : Prompt Injection PER3034930112625
Entry Point: Malicious URL Fragments (Post-‘#’) in Legitimate Websites
Backdoors Established: ['Via Malware Guidance Scenarios (IoT/Device Compromise)']
High Value Targets: Financial Data, Personal Identifiable Information (Pii), Credentials, Medical Data,
Data Sold on Dark Web: Financial Data, Personal Identifiable Information (Pii), Credentials, Medical Data,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Data Scraping PER449070624
Root Causes: Ignoring Robots Exclusion Protocol
Incident : Prompt Injection PER1592715100425
Root Causes: Lack Of Prompt Validation In Ai Agent Memory Access., Insufficient Safeguards Against Url Parameter Manipulation (E.G., 'Collection')., Over-Reliance On Traditional Defenses For Ai-Native Tools.,
Incident : Vulnerability PER2892328112025
Root Causes: Lack Of Extension Visibility/Control For Users, Overprivileged Hidden Extensions With System-Level Access, Insufficient Api Documentation And Use-Case Justification, Silent Updates Without Transparency,
Corrective Actions: Disabled Mcp Api (Temporary Fix), Expected: Public Documentation Of Api Usage And Risks, Expected: User-Facing Controls For Privileged Extensions,
Incident : Vulnerability Exploitation PER2362223112125
Root Causes: Lack Of Adherence To Browser Security Principles (E.G., Prohibiting Arbitrary Command Execution)., Overprivileged Custom Api (Mcp) In Agentic Extension., Third-Party Risk Concentration (Single Point Of Failure Via Perplexity.Ai)., Insufficient Extension Sandboxing.,
Incident : Prompt Injection PER3034930112625
Root Causes: Ai Browsers Treating Url Fragments As Legitimate Context For Llms., Lack Of Fragment Inspection In Security Tools (Server-Side And Network-Level)., Over-Reliance On Client-Side Execution Without Validation., Design Flaw In Ai Assistant Architecture (Trusting Unvalidated Url Inputs).,
Corrective Actions: Patch Ai Browsers To Exclude Fragments From Llm Context (Microsoft/Perplexity)., Develop Fragment-Aware Security Tools For Client-Side Monitoring., Implement User Warnings For Ai-Generated Content From External Urls., Establish Industry Standards For Secure Ai Browser Design.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Layerx (Research Disclosure), Guardio Labs (Prior Research Reference), , Urgent Evaluation Of Controls For Malicious Agent Prompts (Recommended), , Squarex (Research/Disclosure), , Squarex (Research/Disclosure), , Cato Ctrl (Security Research), , Fragment Inspection In Ai Context Windows (Proposed), .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Disabled Mcp Api (Temporary Fix), Expected: Public Documentation Of Api Usage And Risks, Expected: User-Facing Controls For Privileged Extensions, , Patch Ai Browsers To Exclude Fragments From Llm Context (Microsoft/Perplexity)., Develop Fragment-Aware Security Tools For Client-Side Monitoring., Implement User Warnings For Ai-Generated Content From External Urls., Establish Industry Standards For Secure Ai Browser Design., .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident was an Perplexity AI.
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2025-11-04.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-08-20.
What was the most recent incident resolved ?
Most Recent Incident Resolved: The most recent incident resolved was on 2025-11-19.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Website Content, , Email Data, Calendar Data, Connected Service Data, , Local files, System data, User activity logs (potential), , Sensitive Financial Data, Personal Data, Credentials and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident were Perplexity Comet AI Browser and Comet Browser (AI-powered agentic browser by Perplexity) and Comet Browser (All User Devices)Underlying Operating Systems and AI-Powered Browsers (Perplexity Comet, Microsoft Edge Copilot, Google Gemini for Chrome)User DevicesIoT Devices (via Malware Guidance).
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was layerx (research disclosure), guardio labs (prior research reference), , squarex (research/disclosure), , squarex (research/disclosure), , cato ctrl (security research), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident was Disabled MCP API via silent update.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were User activity logs (potential), Website Content, Email Data, Personal Data, Local files, Calendar Data, Connected Service Data, Sensitive Financial Data, Credentials and System data.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Proactive security research is critical for emerging AI-driven attack surfaces.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Evaluate and harden AI tool integrations with connected services (e.g., Gmail, Calendar)., Implement public vulnerability disclosure processes., Monitor for weaponized URLs targeting AI-native tools in phishing campaigns., Exclude URL fragments from AI assistant context windows., Disable local MCP API permanently or restrict to minimal necessary functionality., Implement controls to detect and neutralize malicious agent prompts in AI browsers., Inform users about privileged extensions and provide opt-out mechanisms., Implement strict sandboxing for extensions to prevent arbitrary command execution., Document all high-risk APIs and their intended use cases., Enhance collaboration between AI vendors and security researchers., Implement client-side monitoring for malicious prompt execution., Educate users on the risks of AI-generated suggestions from untrusted sources., Develop standardized security frameworks for AI-powered browsers., Provide users with transparency tools to assess and mitigate third-party risks., Monitor for extension stomping, XSS, and MitM attacks targeting the Agentic extension., Disable or remove the MCP API in Comet Browser immediately., Adopt security-by-design principles for AI memory access and prompt execution., Conduct third-party security audits for AI-powered browsers., Enforce multi-factor authentication (MFA) for Perplexity employees to mitigate phishing risks. and Conduct third-party security audits for perplexity.ai and embedded extensions..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Help Net Security, SquareX Research Report, Guardio Labs (Scamlexity Attack Technique, August 2020), LayerX Research (Michelle Levy, Head of Security Research), The Hacker News, TechRadar and Cato CTRL Security Research.
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.helpnetsecurity.com/, https://www.techradar.com/news/squarex-discovered-hidden-mcp-api-in-comet-browser-enabling-arbitrary-local-command-execution .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.
Stakeholder and Customer Advisories
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued was an Users advised to avoid clicking AI-generated links from untrusted URLs.Recommend disabling AI assistant features in browsers until patches are applied (for Google Gemini).
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Web Scraping and Malicious URL Fragments (Post-‘#’) in Legitimate Websites.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Ignoring Robots Exclusion Protocol, Lack of prompt validation in AI agent memory access.Insufficient safeguards against URL parameter manipulation (e.g., 'collection').Over-reliance on traditional defenses for AI-native tools., Lack of extension visibility/control for usersOverprivileged hidden extensions with system-level accessInsufficient API documentation and use-case justificationSilent updates without transparency, Lack of adherence to browser security principles (e.g., prohibiting arbitrary command execution).Overprivileged custom API (MCP) in Agentic extension.Third-party risk concentration (single point of failure via perplexity.ai).Insufficient extension sandboxing., AI browsers treating URL fragments as legitimate context for LLMs.Lack of fragment inspection in security tools (server-side and network-level).Over-reliance on client-side execution without validation.Design flaw in AI assistant architecture (trusting unvalidated URL inputs)..
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Disabled MCP API (temporary fix)Expected: Public documentation of API usage and risksExpected: User-facing controls for privileged extensions, Patch AI browsers to exclude fragments from LLM context (Microsoft/Perplexity).Develop fragment-aware security tools for client-side monitoring.Implement user warnings for AI-generated content from external URLs.Establish industry standards for secure AI browser design..
.png)
Latest Global CVEs (Not Company-Specific)
Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Risk Information
cvss4
Base: 7.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
- https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f
- https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc
- https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e
- https://github.com/angular/angular/releases/tag/19.2.16
- https://github.com/angular/angular/releases/tag/20.3.14
- https://github.com/angular/angular/releases/tag/21.0.1
- https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 8.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 6.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules that use entropy in conjunction with base64_data.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=perplexity-ai' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
