Perplexity Breach Incident Score: Analysis & Impact (PER2892328112025)

In this Rankiteo incident briefing, we review the Perplexity breach identified under incident ID PER2892328112025.

The analysis begins with a detailed overview of Perplexity's information like the linkedin page: https://www.linkedin.com/company/perplexity-ai, the number of followers: 1260308, the industry type: Software Development and the number of employees: 1749 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 735 and after the incident was 726 with a difference of -9 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Perplexity and their customers.

On 19 November 2025, Perplexity AI (Comet Browser) disclosed Vulnerability, Privilege Escalation and Arbitrary Code Execution issues under the banner "Comet Browser MCP API Vulnerability Exposes Users to Arbitrary Command Execution".

SquareX researchers discovered a critical security flaw in Comet, Perplexity's AI-powered agentic browser.

The disruption is felt across the environment, affecting Comet Browser (AI-powered agentic browser by Perplexity), and exposing Local files, System data and User activity logs (potential).

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Disabled MCP API via silent update, and stakeholders are being briefed through Limited (no public documentation of patch; researchers notified on 2025-11-04, no response until post-publication).

The case underscores how Partially Resolved (MCP API disabled; long-term fixes pending), teams are taking away lessons such as AI browsers break traditional sandboxing models, increasing attack surface, Hidden extensions with privileged APIs pose transparency risks and Silent patches without disclosure erode user trust, and recommending next steps like Disable local MCP API permanently or restrict to minimal necessary functionality, Inform users about privileged extensions and provide opt-out mechanisms and Document all high-risk APIs and their intended use cases.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Drive-by Compromise (T1189) with moderate to high confidence (85%), with evidence including attackers exploiting this via **XSS**... to deploy malware, and hidden built-in extensions exploit the **MCP API** to execute arbitrary commands and Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (70%), with evidence including perplexity.ai **subdomains** could be hijacked by attackers, and hidden built-in extensions (**Comet Analytics** and **Comet Agentic**). Under the Execution tactic, the analysis identified Command and Scripting Interpreter (T1059) with high confidence (95%), with evidence including execute **arbitrary commands** on a user’s device via **MCP API**, and chrome.perplexity.mcp.**addStdioServer** and Command and Scripting Interpreter: JavaScript (T1059.007) with high confidence (90%), with evidence including exploit the MCP API... via **XSS**, and hidden built-in **extensions** (JavaScript-based). Under the Persistence tactic, the analysis identified Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) with moderate to high confidence (75%), with evidence including **hidden extensions** exploit the MCP API (persistent browser context), and potential backdoors via MCP API persistence and Pre-OS Boot: System Firmware (T1542.001) with lower confidence (30%), supported by evidence indicating aI browsers **bypassing traditional sandboxing** (implies deep system access). Under the Privilege Escalation tactic, the analysis identified Exploitation for Privilege Escalation (T1068) with high confidence (90%), with evidence including **Privilege Escalation** (incident type), and hidden extensions leverage **MCP API** to execute arbitrary commands and Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002) with moderate to high confidence (80%), with evidence including bypassing traditional **sandboxing** models, and deep system access via MCP API. Under the Defense Evasion tactic, the analysis identified Masquerading (T1036) with high confidence (95%), with evidence including **hidden built-in extensions** (Comet Analytics/Comet Agentic), and extension stomping (spoofing the Analytics Extension’s **manifest key**), Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (70%), with evidence including **silently patched** the issue by disabling the MCP API (implies prior evasion), and lack of transparency and user control over these extensions, and Obfuscated Files or Information (T1027) with moderate confidence (60%), supported by evidence indicating hidden built-in extensions (obfuscated from user view). Under the Credential Access tactic, the analysis identified Credentials from Password Stores (T1555) with moderate to high confidence (80%), with evidence including **User credentials** (high-value target), and execute arbitrary commands on a user’s device (could dump creds). Under the Discovery tactic, the analysis identified System Information Discovery (T1082) with moderate to high confidence (85%), with evidence including **Local files**, **System data**, **User activity logs** (targeted for exfiltration), and deep system access via MCP API and Process Discovery (T1057) with moderate to high confidence (70%), supported by evidence indicating execute arbitrary commands (implies process enumeration). Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), with evidence including exfiltrate **data**, and **Local files**, **System data** (data compromised). Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), with evidence including exfiltrate data via MCP API, and perplexity.ai **subdomains** (potential C2) and Automated Exfiltration (T1020) with moderate to high confidence (75%), with evidence including **Comet Agentic** extension (automated AI-driven exfiltration), and execute arbitrary commands (could script exfiltration). Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with moderate to high confidence (85%), with evidence including deploy **ransomware** (demonstrated in attack scenario), and execute arbitrary commands (could encrypt files) and Endpoint Denial of Service: Application or System Exploitation (T1499.004) with moderate to high confidence (70%), with evidence including install **malware** (could include DoS payloads), and full device takeover if exploited. Under the Lateral Movement tactic, the analysis identified Remote Services: SSH (T1021.004) with lower confidence (40%), supported by evidence indicating execute arbitrary commands (could enable lateral movement). These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.