Chromatic Deception: A Malicious Chromium Extension Impersonates Perplexity AI
In an alarming cybersecurity breach, a malicious Chromium extension posing as the Perplexity AI brand has gained traction, compromising user privacy and security. The extension, titled “Search for perplexity ai” and identifiable by its extension ID flkebkiofojicogddingbdmcmkpbplcd, version 2.2, has exploited vulnerabilities in the browser’s architecture to intercept searches and capture keystrokes without users’ consent.
The extension uniquely utilized Manifest V3 functionalities, specifically declarativeNetRequest (DNR) rules, alongside a typosquatted domain named perplexity-ai[.]online. This sophisticated setup created a dual-layer interception system, which not only logged user queries but also transmitted collected telemetry data back to servers controlled by the malicious operators. Microsoft, upon discovering these nefarious activities, reported the extension to Google, resulting in its removal from the Chrome Web Store.
Upon installation, the malicious extension cleverly altered user settings by establishing itself as the default search provider through a function called chrome_settings_overrides. This promptly redirected both completed search queries and character inputs to the adversary’s domain. Users often remained unaware, as the extension employed DNR rules to redirect the browser back to legitimate search engines such as Perplexity, Google, or Bing. While users observed genuine search results, the extension stealthily captured extensive data including full query strings, HTTP headers, user-agents, and IP addresses. This essentially transformed a seemingly harmless tool into a potent surveillance mechanism.
The architectural elements of the extension revealed its malicious intent. The manifest and server-side code—specifically features from server.js and nginx.conf—detailed how the extension intended to intercept data. Notably, server.js functioned as a proxy, recording incoming headers and implementing permissive CORS policies. Meanwhile, nginx.conf established secure connections and managed the forwarding of search requests. Such a structure illustrated a calculated design aimed at harvesting sensitive information without drawing user suspicion.
Technical choices within the extension further enhanced its stealth capabilities. The inclusion of the suggest_url field enabled real-time data capture of keystrokes before final queries were submitted. This method provided active surveillance capabilities, allowing the attackers to monitor user behavior directly, rather than merely redirecting browsing activities. Microsoft Threat Intelligence has highlighted this tactic as part of a broader trend where adversaries exploit the current AI hype, using brand imitation and misleading onboarding experiences to deceive unsuspecting users into installation.
The DNR-specific permissions requested by this malicious extension, including declarativeNetRequest and declarativeNetRequestWithHostAccess, facilitated a degree of monitoring and interception that far exceeded what a typical AI assistant would require. This unusual breadth of access posed a significant privacy threat for users who unknowingly granted these permissions during installation. In addition, the extension incorporated a peculiar content_security_policy, which enabled the evaluation of WebAssembly functions. This allowance hinted at the possibility of future enhancements without necessitating republishing, showcasing a level of foresight on the part of the creators.
The implications of this cyber threat are expansive. Typosquatting a reputable AI brand and replicating familiar onboarding experiences effectively heightened the chances of user installation. This means that unsuspecting individuals seeking to leverage AI technology for simple search tasks found themselves unwittingly involved in a more complex and risky situation. Although Microsoft indicated no immediate evidence of credential theft associated with this extension, the extensive telemetry gathered represented a serious privacy risk.
The incident underscores significant trends within the cybersecurity landscape. First, browser extensions continue to be a highly valuable target for malicious actors since they possess privileged access to user APIs and traffic data. Second, the weaponization of AI branding serves as a social-engineering vector, intending to minimize user skepticism when a well-known AI service is imitated. The researchers at Microsoft have tied these observations to a growing body of evidence indicating that threat actors are adept at operationalizing AI both as a technical tool and as bait for unsuspecting users.
For organizations looking to fortify themselves against such attacks, defensive advice is clear-cut. Enterprises should enforce strict extension allow-list policies and implement rigorous controls to block any untrusted extensions. Additionally, monitoring must be enforced for any unauthorized changes in browser settings or outbound traffic routes toward unfamiliar domains. Furthermore, heightened scrutiny should be applied to extensions requesting search-override capabilities or other critical network-manipulation APIs.
In conclusion, while Microsoft has provided a temporary reprieve by removing the extension from the Chrome Web Store, the defensive measures recommended are crucial. The tactics employed by the attackers, including typosquatting of trusted AI brands and leveraging advanced interception mechanisms, are easily replicable. Consequently, both security teams and ordinary users must maintain vigilance as malicious actors continue to exploit emerging technologies and brand reputations to harvest sensitive browsing data.