Particle.news

Malicious Chrome Extension Posing as Perplexity AI Logged Users' Searches

The extension abused Chrome search settings and a rules-based network permission to forward address‑bar input to an attacker server so typed queries and metadata were recorded.

Overview

  • Security researchers disclosed that a fake extension called “Search for perplexity ai” routed Chrome address‑bar searches through a typosquatted domain and logged queries before forwarding them to real search engines.
  • The operator used chrome_settings_overrides to change default search behavior and declarativeNetRequest (DNR) rules to redirect and capture real‑time autocomplete input, including text deleted before submission.
  • Google removed the extension from the Chrome Web Store after public disclosure, but the extension remains active on any browsers where it was already installed and must be uninstalled manually using the published extension ID.
  • Microsoft reported no evidence of stolen credentials but advised users to audit and remove suspicious extensions, review permissions, and change passwords as a precaution.
  • The incident highlights persistent gaps in marketplace review and a rising trend of attackers using AI branding and typosquatting to lure users, which could prompt tighter store checks and stricter permission controls.