Perplexity Company CyberSecurity Posture

perplexity.ai
ISOSOC2 Type 1SOC2 Type 2PCI DSSHIPAAGDPR

The most powerful answer engine. Powering curiosity with answers backed by up-to-date sources. This is where knowledge begins.

Perplexity A.I CyberSecurity Scoring

Perplexity

Company Details

Linkedin ID:

perplexity-ai

Website:

https://www.perplexity.ai

Employees number:

1,749

Number of followers:

1,260,308

NAICS:

5112

Industry Type:

Software Development

Homepage:

perplexity.ai

IP Addresses:

16

Company ID:

PER_1655949

Scan Status:

In-progress

AI scorePerplexity Risk Score (AI oriented)

Between 700 and 749

https://images.rankiteo.com/companyimages/perplexity-ai.jpeg
Perplexity Software Development
Updated:
  • Powered by our proprietary A.I cyber incident model
  • Insurance preferes TPRM score to calculate premium
globalscorePerplexity Global Score (TPRM)

XXXX

https://images.rankiteo.com/companyimages/perplexity-ai.jpeg
Perplexity Software Development
  • Instant access to detailed risk factors
  • Benchmark vs. industry & size peers
  • Vulnerabilities
  • Findings

Perplexity

Moderate
Current Score
726
Ba (Moderate)
01000
5 incidents
-6.5 avg impact

Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.

NOVEMBER 2025
735
Vulnerability
20 Nov 2025 • Perplexity (Comet AI-powered browser)
Comet Browser MCP API Vulnerability Exposes Users to Arbitrary Command Execution

SquareX researchers discovered a critical vulnerability in **Comet**, Perplexity’s AI-powered agentic browser, where hidden built-in extensions (**Comet Analytics** and **Comet Agentic**) exploit the **MCP API** to execute arbitrary commands on a user’s device. The API, accessible via Perplexity’s subdomains, could be hijacked by attackers through **XSS, MitM, or extension stomping** (spoofing the Analytics Extension’s manifest key) to deploy **ransomware**, exfiltrate data, or install malware. Though Perplexity silently patched the issue by disabling the MCP API after public disclosure, the lack of transparency and user control over these extensions poses ongoing risks. The flaw highlights how AI browsers, bypassing traditional sandboxing, expand attack surfaces by granting deep system access—potentially enabling full device takeover if exploited. Researchers warn this sets a dangerous precedent for AI-driven software prioritizing innovation over security boundaries.

726
critical -9
PER2892328112025
Incident Details -
Type
Vulnerability Privilege Escalation Arbitrary Code Execution
Attack Vector
Cross-Site Scripting (XSS) Man-in-the-Middle (MitM) Extension Stomping (Manifest Key Spoofing) Domain Compromise (perplexity.ai subdomains)
Vulnerability Exploited
MCP API (chrome.perplexity.mcp.addStdioServer) in hidden Comet extensions (Comet Analytics/Comet Agentic)
Impact
Local files System data User activity logs (potential) Comet Browser (AI-powered agentic browser by Perplexity) Operational Impact: Potential loss of user trust; silent patch may affect undisclosed agentic workflows relying on MCP API Brand Reputation Impact: High (security community scrutiny; concerns over transparency and user consent) Identity Theft Risk: High (if attackers exfiltrate local files/PII)
Response
Incident Response Plan Activated: Yes (silent patch deployed post-disclosure) SquareX (research/disclosure) Disabled MCP API via silent update Communication Strategy: Limited (no public documentation of patch; researchers notified on 2025-11-04, no response until post-publication)
Data Breach
Local system files Potential PII (if exfiltrated) Sensitivity Of Data: High (local device access) Data Exfiltration: Potential (demonstrated in attack scenario) Personally Identifiable Information: Potential (if attackers leverage API to access local files)
Lessons Learned
AI browsers break traditional sandboxing models, increasing attack surface. Hidden extensions with privileged APIs pose transparency risks. Silent patches without disclosure erode user trust. Industry needs boundaries for AI browser capabilities to avoid bypassing security principles.
Recommendations
Disable local MCP API permanently or restrict to minimal necessary functionality. Inform users about privileged extensions and provide opt-out mechanisms. Document all high-risk APIs and their intended use cases. Implement public vulnerability disclosure processes. Conduct third-party security audits for AI-powered browsers.
Investigation Status
['Partially Resolved (MCP API disabled; long-term fixes pending)']
Initial Access Broker
Comet Analytics/Comet Agentic extensions (hidden) perplexity.ai subdomains Backdoors Established: Potential (via MCP API persistence) Local system files User credentials Installed applications
Post Incident Analysis
Lack of extension visibility/control for users Overprivileged hidden extensions with system-level access Insufficient API documentation and use-case justification Silent updates without transparency Disabled MCP API (temporary fix) Expected: Public documentation of API usage and risks Expected: User-facing controls for privileged extensions
References
Blog URL Source URL
Vulnerability
20 Nov 2025 • Perplexity (Comet Browser)
Hidden MCP API in Comet Browser Enabling Arbitrary Local Command Execution

Cybersecurity researchers at SquareX uncovered a critical **vulnerability** in **Comet**, Perplexity’s AI-powered browser, tied to a hidden **MCP API** (chrome.perplexity.mcp.addStdioServer) within the **Agentic extension**. This API allows arbitrary local command execution on users' devices—a capability explicitly banned in traditional browsers like Chrome or Firefox. The flaw stems from weak security controls, exposing users to **full device takeover** if attackers compromise **perplexity.ai** via methods like **XSS, phishing, or insider threats**. SquareX demonstrated the risk by spoofing a malicious extension, injecting a script into perplexity.ai, and leveraging the MCP API to execute **WannaCry ransomware**. The vulnerability creates a **catastrophic third-party risk**, where users’ security depends entirely on Perplexity’s defenses, with no mitigation options. The researchers warned that exploitation is inevitable, given the browser’s deviation from decades of established security principles. A single breach of Perplexity’s infrastructure could grant attackers **unprecedented control** over all Comet users’ devices, enabling large-scale malware deployment, data theft, or system hijacking.

726
critical -9
PER2362223112125
Incident Details -
Type
Vulnerability Exploitation Arbitrary Code Execution Third-Party Risk
Attack Vector
Malicious Extension (Extension Stomping) Cross-Site Scripting (XSS) Man-in-the-Middle (MitM) Attack Phishing (Perplexity Employee Targeting) Insider Threat
Vulnerability Exploited
Hidden MCP API (chrome.perplexity.mcp.addStdioServer) in Agentic Extension (Arbitrary Local Command Execution)
Impact
Comet Browser (All User Devices) Underlying Operating Systems Operational Impact: Full device takeover risk for all Comet users via Perplexity site compromise Brand Reputation Impact: High (Catastrophic third-party risk exposure, reversal of browser security principles)
Response
SquareX (Research/Disclosure) Media Outreach (TechRadar) Pending Response from Perplexity
Lessons Learned
Adherence to established browser security principles (e.g., Chrome, Safari, Firefox) is critical to prevent arbitrary command execution. Third-party dependencies (e.g., perplexity.ai site) can introduce catastrophic risks if compromised. Custom APIs with elevated privileges must undergo rigorous security reviews.
Recommendations
Disable or remove the MCP API in Comet Browser immediately. Implement strict sandboxing for extensions to prevent arbitrary command execution. Conduct third-party security audits for perplexity.ai and embedded extensions. Enforce multi-factor authentication (MFA) for Perplexity employees to mitigate phishing risks. Monitor for extension stomping, XSS, and MitM attacks targeting the Agentic extension. Provide users with transparency tools to assess and mitigate third-party risks.
Investigation Status
['Ongoing (Pending Response from Perplexity)']
Initial Access Broker
Compromised perplexity.ai site Malicious Extension (Agentic) XSS/Phishing/Insider Threat Backdoors Established: MCP API (chrome.perplexity.mcp.addStdioServer) High Value Targets: All Comet Browser Users' Devices
Post Incident Analysis
Lack of adherence to browser security principles (e.g., prohibiting arbitrary command execution). Overprivileged custom API (MCP) in Agentic extension. Third-party risk concentration (single point of failure via perplexity.ai). Insufficient extension sandboxing.
References
Blog URL Source URL
NOVEMBER 2025
739
Vulnerability
18 Nov 2025 • Perplexity
HashJack: Indirect Prompt Injection Exploit in AI-Powered Browsers

Perplexity’s AI-powered browser **Comet** was exposed to **HashJack**, a critical indirect prompt injection vulnerability exploiting URL fragments (after the ‘#’ symbol) to execute hidden malicious instructions. The flaw allowed threat actors to bypass traditional security systems—such as server logs, network monitoring, and content security policies—by embedding deceptive prompts (e.g., callback phishing, data exfiltration, misinformation, malware guidance, medical harm, and credential theft) that appeared as legitimate AI-generated responses. Users were tricked into divulging sensitive financial/personal data, installing backdoors, or following harmful medical advice, all while the attack remained undetected due to client-side processing of URL fragments.Perplexity initially dismissed the report but later classified it as **critical severity (P1)**, deploying fixes by **November 18, 2025**. The incident highlights systemic risks in AI browsers, where LLM susceptibility to prompt injection and flawed URL-handling design enable large-scale deception, financial fraud, and operational disruptions. The attack’s stealth and automation potential—particularly in agentic browsers—posed severe reputational, financial, and trust-based damages, with long-term implications for user safety and regulatory compliance.

735
critical -4
PER3034930112625
Incident Details -
Type
Prompt Injection AI Manipulation Client-Side Attack Social Engineering
Attack Vector
Malicious URL Fragments (Post-‘#’) AI Assistant Context Poisoning Client-Side Execution
Vulnerability Exploited
AI Browser Design Flaw (Fragment Inclusion in Context) LLM Susceptibility to Prompt Injection Lack of Fragment Inspection in Security Tools
Motivation
Financial Gain Data Theft Misinformation Credential Harvesting Malware Distribution Medical Harm
Impact
Sensitive Financial Data Personal Data Credentials AI-Powered Browsers (Perplexity Comet, Microsoft Edge Copilot, Google Gemini for Chrome) User Devices IoT Devices (via Malware Guidance) Automated Data Exfiltration Unauthorized AI Assistant Actions User Trust Erosion High (Due to AI Manipulation and Undetectable Attacks) High (Via Credential Theft and PII Exposure) High (Financial Data Exfiltration)
Response
Microsoft Acknowledged (2025-08-20) 2025-10-27 Google Classified as 'Intended Behavior' (Low Severity, 2025-10-03) Perplexity Initially Dismissed; Later Triaged as Critical (P1, 2025-10-10) 2025-11-18 Cato CTRL (Security Research) Microsoft: Patch Released (2025-10-27) Perplexity: Fixes Applied (2025-11-18) Google: No Remediation (Ongoing as of 2025-11-25) Fragment Inspection in AI Context Windows (Proposed)
Data Breach
Financial Data Personal Data Credentials Medical Information (via Misinformation) IoT Device Access Sensitivity Of Data: High Automated (via Agentic Browsers like Comet) Credentials Financial Records Personal Details
Lessons Learned
AI browsers must exclude URL fragments from LLM context to prevent prompt injection. Client-side-only attacks evade traditional security tools, requiring new detection frameworks. User trust in AI assistants can be exploited via seemingly legitimate URLs. Proactive security research is critical for emerging AI-driven attack surfaces.
Recommendations
Exclude URL fragments from AI assistant context windows. Implement client-side monitoring for malicious prompt execution. Educate users on the risks of AI-generated suggestions from untrusted sources. Develop standardized security frameworks for AI-powered browsers. Enhance collaboration between AI vendors and security researchers.
Investigation Status
Microsoft Resolved (2025-10-27) Google Unresolved (Ongoing as of 2025-11-25) Perplexity Resolved (2025-11-18)
Customer Advisories
Users advised to avoid clicking AI-generated links from untrusted URLs. Recommend disabling AI assistant features in browsers until patches are applied (for Google Gemini).
Initial Access Broker
Entry Point: Malicious URL Fragments (Post-‘#’) in Legitimate Websites Via Malware Guidance Scenarios (IoT/Device Compromise) Financial Data Personal Identifiable Information (PII) Credentials Medical Data
Post Incident Analysis
AI browsers treating URL fragments as legitimate context for LLMs. Lack of fragment inspection in security tools (server-side and network-level). Over-reliance on client-side execution without validation. Design flaw in AI assistant architecture (trusting unvalidated URL inputs). Patch AI browsers to exclude fragments from LLM context (Microsoft/Perplexity). Develop fragment-aware security tools for client-side monitoring. Implement user warnings for AI-generated content from external URLs. Establish industry standards for secure AI browser design.
References
Blog URL Source URL
OCTOBER 2025
739
SEPTEMBER 2025
738
AUGUST 2025
737
JULY 2025
736
JUNE 2025
735
MAY 2025
734
APRIL 2025
733
MARCH 2025
732
FEBRUARY 2025
731
JANUARY 2025
730
DECEMBER 2024
729
JUNE 2024
778
Breach
01 Jun 2024 • Perplexity AI
Perplexity AI Investigation for Breaching AWS Rules

Perplexity AI is under investigation by Amazon Web Services (AWS) for potentially breaching AWS rules by ignoring the Robots Exclusion Protocol and scraping content from websites that attempted to block its access. This protocol, which is widely respected though not legally binding, was dismissed by Perplexity as it accessed data from multiple websites including Condé Nast properties through scraping practices. Companies affected have reported unauthorized crawling by an IP address linked to Perplexity, raising concerns about data use and adherence to AWS's terms of service. As a result, the integrity and legitimacy of the content used by Perplexity's AI search service are in question, reflecting poorly on their operations.

721
medium -57
PER449070624
Incident Details -
Type
Data Scraping
Attack Vector
Web Scraping
Vulnerability Exploited
Ignoring Robots Exclusion Protocol
Motivation
Data Collection
Impact
Website Content Operational Impact: Questionable Integrity and Legitimacy of AI Search Service Brand Reputation Impact: Poor Reflection on Operations
Data Breach
Type Of Data Compromised: Website Content
Investigation Status
['Ongoing']
Initial Access Broker
Entry Point: Web Scraping
Post Incident Analysis
Root Causes: Ignoring Robots Exclusion Protocol
References
Blog URL Source URL
JUNE 2020
780
Cyber Attack
16 Jun 2020 • Perplexity
CometJacking Attack Targeting Perplexity's AI Browser Comet

Cybersecurity researchers uncovered **CometJacking**, a novel **prompt injection attack** targeting Perplexity’s AI-powered browser, **Comet**. The attack exploits a malicious URL to hijack the embedded AI assistant, siphoning sensitive data—including emails, calendars, and connected services—without requiring credential theft, as the browser already has authorized access. The attack leverages **Base64 obfuscation** to bypass Perplexity’s data exfiltration protections, transmitting stolen information to an attacker-controlled endpoint in a single click. The technique weaponizes the **‘collection’ URL parameter**, tricking the AI into executing hidden prompts that extract data from the user’s linked accounts (e.g., Gmail). While Perplexity dismissed the findings as having **‘no security impact’**, the attack demonstrates how AI-native tools can **circumvent traditional defenses**, turning trusted assistants into insider threats. Researchers warn this could enable large-scale data theft if exploited in phishing campaigns, particularly in enterprise environments where AI browsers are integrated. The attack mirrors prior techniques like **Scamlexity** (2020), where browsers were manipulated into interacting with phishing pages autonomously. Experts emphasize the urgent need for **security-by-design** in AI agents to prevent prompt-based exploits from becoming widespread threats.

764
high -16
PER1592715100425
Incident Details -
Type
Prompt Injection Data Exfiltration AI Hijacking
Attack Vector
Malicious URL Phishing Email Web Page
Vulnerability Exploited
AI Agent Memory Access Base64 Obfuscation Bypass URL Parameter Manipulation (collection)
Motivation
Data Theft Unauthorized Data Access Exploitation of AI Tools
Impact
Email Data Calendar Data Connected Service Data Perplexity Comet AI Browser Potential Erosion of Trust in AI Tools
Response
LayerX (Research Disclosure) Guardio Labs (Prior Research Reference) Public Disclosure via The Hacker News Statements by LayerX Researchers Urgent Evaluation of Controls for Malicious Agent Prompts (Recommended)
Data Breach
Email Data Calendar Data Connector Service Data High (Authorized Access to Connected Services) Base64-Encoded Data Transmitted to Attacker-Controlled Endpoint Bypassed via Obfuscation (Base64) Potential (Depending on Connected Services)
Lessons Learned
AI-native browsers introduce new security risks that bypass traditional defenses. Trivial obfuscation (e.g., Base64) can circumvent data exfiltration checks in AI tools. Malicious prompts in URLs can weaponize AI agents with existing authorized access. Security-by-design is critical for AI agent prompts and memory access, not just page content.
Recommendations
Implement controls to detect and neutralize malicious agent prompts in AI browsers. Evaluate and harden AI tool integrations with connected services (e.g., Gmail, Calendar). Monitor for weaponized URLs targeting AI-native tools in phishing campaigns. Adopt security-by-design principles for AI memory access and prompt execution.
Investigation Status
["Disclosed by Third-Party Researchers (LayerX); Perplexity Classified as 'No Security Impact'"]
Initial Access Broker
Malicious URL (Phishing Email or Web Page) Connected Services (Gmail, Calendar, etc.)
Post Incident Analysis
Lack of prompt validation in AI agent memory access. Insufficient safeguards against URL parameter manipulation (e.g., 'collection'). Over-reliance on traditional defenses for AI-native tools.
References
Blog URL Source URL

Frequently Asked Questions

According to Rankiteo, the current A.I.-based Cyber Score for Perplexity is 726, which corresponds to a Moderate rating.

According to Rankiteo, the A.I. Rankiteo Cyber Score for October 2025 was 739.

According to Rankiteo, the A.I. Rankiteo Cyber Score for September 2025 was 738.

According to Rankiteo, the A.I. Rankiteo Cyber Score for August 2025 was 737.

According to Rankiteo, the A.I. Rankiteo Cyber Score for July 2025 was 736.

According to Rankiteo, the A.I. Rankiteo Cyber Score for June 2025 was 735.

According to Rankiteo, the A.I. Rankiteo Cyber Score for May 2025 was 734.

According to Rankiteo, the A.I. Rankiteo Cyber Score for April 2025 was 733.

According to Rankiteo, the A.I. Rankiteo Cyber Score for March 2025 was 732.

According to Rankiteo, the A.I. Rankiteo Cyber Score for February 2025 was 731.

According to Rankiteo, the A.I. Rankiteo Cyber Score for January 2025 was 730.

According to Rankiteo, the A.I. Rankiteo Cyber Score for December 2024 was 729.

Over the past 12 months, the average per-incident point impact on Perplexity’s A.I Rankiteo Cyber Score has been -6.5 points.

You can access Perplexity’s cyber incident details on Rankiteo by visiting the following link: https://www.rankiteo.com/company/perplexity-ai.

You can find the summary of the A.I Rankiteo Risk Scoring methodology on Rankiteo by visiting the following link: Rankiteo Algorithm.

You can view Perplexity’s profile page on Rankiteo by visiting the following link: https://www.rankiteo.com/company/perplexity-ai.

With scores of 18.5/20 from OpenAI ChatGPT, 20/20 from Mistral AI, and 17/20 from Claude AI, the A.I. Rankiteo Risk Scoring methodology is validated as a market leader.