Perplexity AI Impersonation Attack: How a Malicious Chrome Extension Turned Your Search Bar into a Data Exfiltration Pipeline + Video

Listen to this Post

Featured Image

Introduction

A sophisticated malicious Chromium extension recently demonstrated how threat actors are weaponizing the trust users place in popular AI brands. Disguised as a legitimate Perplexity AI search tool, the extension “Search for perplexity ai” (ID: flkebkiofojicogddingbdmcmkpbplcd) quietly intercepted browser searches and captured every keystroke typed into the address bar—before seamlessly redirecting users to legitimate search results. Microsoft Threat Intelligence identified the campaign, which abused Manifest V3’s Declarative Net Request (DNR) APIs and a typosquatted domain (perplexity-ai[.]online) to create a stealthy two-hop interception pipeline that logged queries, IP addresses, browser headers, and telemetry to attacker-controlled infrastructure. This incident underscores a critical shift: attackers are no longer exploiting browser vulnerabilities—they are exploiting user trust in AI brands as the primary attack vector.

Learning Objectives

  • Understand how malicious Chrome extensions abuse Manifest V3 APIs and declarativeNetRequest permissions to intercept and exfiltrate search traffic.
  • Learn to identify typosquatting domains, suspicious permission requests, and indicators of compromise associated with browser search hijacking.
  • Acquire practical skills to detect, remove, and prevent similar threats using enterprise browser policies, command-line tools, and security monitoring.

You Should Know

  1. The Anatomy of the Attack: How a “Legitimate” Extension Became a Data-Stealing Machine

The extension operated with surgical precision, abusing three powerful permissions that no legitimate AI search assistant should ever request:

– `declarativeNetRequest` – allowed the extension to intercept, block, or redirect network requests.
– `declarativeNetRequestFeedback` – provided visibility into which interception rules were triggered.
– `declarativeNetRequestWithHostAccess` – granted the ability to intercept requests on specific domains.

Upon installation, the extension performed a two-hop interception workflow:

  1. User Action: The victim typed a search query into the browser’s address bar.
  2. First Hop (Exfiltration): The query was sent to the attacker’s typosquatted domain perplexity-ai[.]online. The server logged the full request—including the search term, IP address, user-agent string, and HTTP headers.
  3. Second Hop (Redirection): The server immediately redirected the browser to the legitimate search engine (Perplexity, Google, or Bing).

Because victims received the expected search results, the activity remained virtually undetectable. The extension also overrode Chrome’s live search suggestions (suggest_url), meaning every character typed into the address bar—even before pressing Enter—was transmitted to the attacker’s server.

Technical Deep Dive: How to Detect Similar Abuses

Check Chrome Extension Permissions (Windows):

 List all installed extensions with their permissions
Get-ChildItem -Path "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions" -Directory | ForEach-Object {
$manifest = Join-Path $_.FullName "/manifest.json"
if (Test-Path $manifest) {
Get-Content $manifest | Select-String -Pattern '"permissions"'
}
}

Check Chrome Extension Permissions (Linux/macOS):

 Find and inspect manifest.json for suspicious permissions
find ~/.config/google-chrome/Default/Extensions/ -1ame "manifest.json" -exec grep -l "declarativeNetRequest" {} \;

Monitor DNS Queries for Typosquatted Domains (Linux):

 Monitor real-time DNS queries to detect suspicious look-alike domains
sudo tcpdump -i any -1 port 53 -v | grep -E "perplexity|chatgpt|claude|gemini"

Windows Command to Check Default Search Engine (Registry):

reg query "HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs" /s | findstr "search_url"

Detect Unauthorized Search Provider Overrides (PowerShell):

 Check Chrome's Local State for default search provider changes
$localState = Get-Content "$env:LOCALAPPDATA\Google\Chrome\User Data\Local State" | ConvertFrom-Json
$localState.protected.preferences.default_search_provider_data.template_url

2. The Typosquatting Domain: perplexity-ai[.]online

The attackers registered perplexity-ai[.]online—a domain designed to visually mimic the legitimate perplexity.ai. This typosquatting technique exploits users who glance quickly at domain names or trust the visual branding of an extension’s support page.

The extension’s onboarding page was hosted at extension.tilda[.]ws/perplexityai, presenting users with a professional-looking product setup flow—a tactic commonly used in adware campaigns to build trust while silent browser changes occur in the background.

How to Investigate Suspicious Domains

WHOIS Lookup (Linux/macOS):

whois perplexity-ai.online

DNS Enumeration with Dig:

dig perplexity-ai.online A
dig perplexity-ai.online NS

Check Domain Reputation (Using VirusTotal API):

curl -X GET "https://www.virustotal.com/api/v3/domains/perplexity-ai.online" -H "x-apikey: YOUR_API_KEY"

Extract All Domains Referenced in an Extension (Linux):

 Unpack a .crx file and grep for domains
unzip -p extension.crx | strings | grep -E "(https?://[a-zA-Z0-9.-]+)" | sort -u
  1. Manifest V3: Security Improvement or New Attack Surface?

Google has long argued that Manifest V3 (MV3) offers a safer extension ecosystem, with the transition from Manifest V2 partly aimed at reducing security risks. However, this campaign demonstrates that attackers are adapting to MV3, not by exploiting vulnerabilities, but by creatively abusing legitimate capabilities.

The extension relied heavily on MV3’s Declarative Net Request (DNR) APIs—designed for legitimate request filtering and ad blocking—to enable the two-hop interception workflow. This is a critical takeaway: Manifest V3 raises the security bar but does not eliminate the need for rigorous extension vetting.

Security Hardening: Restrict Extension Installation via Group Policy

Windows Group Policy (Administrative Templates):

Computer Configuration > Administrative Templates > Google Chrome > Extensions
- Configure the list of force-installed extensions (allowlist only approved IDs)
- Control which extensions are installed silently
- Block external extensions from being installed

Linux Chrome Policy (JSON):

{
"ExtensionInstallBlocklist": [""],
"ExtensionInstallAllowlist": ["approved_extension_id_1", "approved_extension_id_2"]
}

macOS Configuration Profile:

<key>ExtensionInstallBlocklist</key>
<array>
<string></string>
</array>
<key>ExtensionInstallAllowlist</key>
<array>
<string>approved_extension_id</string>
</array>

Browser Extension Audit Script (PowerShell):

 Generate a report of all installed Chrome extensions
$extensions = Get-ChildItem "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions" -Directory
foreach ($ext in $extensions) {
$manifest = Get-ChildItem $ext.FullName -Recurse -Filter "manifest.json" | Select-Object -First 1
if ($manifest) {
$json = Get-Content $manifest.FullName | ConvertFrom-Json
[bash]@{
ExtensionID = $ext.Name
Name = $json.name
Version = $json.version
Permissions = $json.permissions -join ", "
}
}
} | Export-Csv -Path "ExtensionAudit.csv" -1oTypeInformation

4. Indicators of Compromise (IoCs) and Detection Strategies

| IoC Type | Value |

|-|-|

| Extension Name | “Search for perplexity ai” |

| Extension ID | `flkebkiofojicogddingbdmcmkpbplcd` |

| Malicious Domain | `perplexity-ai[.]online` |

| Onboarding Page | `extension.tilda[.]ws/perplexityai` |

| Requested Permissions | `declarativeNetRequest`, `declarativeNetRequestFeedback`, `declarativeNetRequestWithHostAccess` |

Detection Commands

Search for the malicious extension ID across all Chrome profiles (Linux):

find ~/.config/google-chrome -1ame "Preferences" -exec grep -l "flkebkiofojicogddingbdmcmkpbplcd" {} \;

Check for unauthorized search engine changes (Windows Registry):

reg query "HKCU\Software\Google\Chrome\PreferenceMACs" /s | findstr "perplexity-ai.online"

Monitor outbound connections to suspicious domains (Linux):

 Monitor live connections to known malicious domains
sudo tcpdump -i any -1 -vvv | grep -E "perplexity-ai.online|tilda.ws"

SIEM Query (Splunk/ELK) for Suspicious Extension Activity:

index=windows source="WinEventLog:Security" EventCode=4688 
| where Process_Command_Line contains "chrome.exe" AND Process_Command_Line contains "--load-extension"
| stats count by User, Process_Command_Line

5. Enterprise Browser Security: Governance and Prevention

Both Gartner analyst Sushovan Mukhopadhyay and independent researcher Vibhum Dubey emphasized that the harder enterprise problem is visibility. Organizations often have mature processes for email and endpoint security but lack governance over browser extensions—which quietly become “a data collection layer inside the employee’s everyday workflow”.

Recommended Controls

1. Allowlist-Only Extension Policy

  • Maintain an approved extension list based on business necessity.
  • Block all unapproved extensions via Group Policy or Chrome Enterprise.

2. Monitor Default Search Provider Changes

  • Use endpoint detection and response (EDR) tools to alert on unauthorized modifications to browser search settings.

3. Treat AI-Branded Tools with Extra Suspicion

  • Verify the publisher and official domain before installation.
  • Check that the extension’s support site matches the official company domain.

4. Deploy Browser Security Extensions

  • Use tools that detect typosquatting and malicious domains in real-time.

5. Regular User Training

  • Educate employees on the risks of AI-themed social engineering.
  • Teach users to inspect requested permissions—no legitimate AI search tool needs `declarativeNetRequest` capabilities.

Automated Browser Security Check Script (Python)

import os
import json
import requests

def check_chrome_extensions():
ext_path = os.path.expanduser("~/.config/google-chrome/Default/Extensions")
suspicious_perms = ["declarativeNetRequest", "declarativeNetRequestFeedback", "webRequest"]

for ext_id in os.listdir(ext_path):
manifest_path = os.path.join(ext_path, ext_id, "/manifest.json")
 Simplified check - iterate version folders
for root, dirs, files in os.walk(os.path.join(ext_path, ext_id)):
if "manifest.json" in files:
with open(os.path.join(root, "manifest.json"), "r") as f:
manifest = json.load(f)
perms = manifest.get("permissions", [])
if any(p in perms for p in suspicious_perms):
print(f"[!] Suspicious: {ext_id} - {manifest.get('name')} - Permissions: {perms}")
  1. Incident Response: What to Do If You Installed the Extension

If you or your users installed “Search for perplexity ai,” take the following steps immediately:

Step 1: Remove the Extension

  • Chrome: Go to chrome://extensions/, find the extension, and click Remove.
  • Edge: Go to `edge://extensions/` and remove it.

Step 2: Verify Default Search Engine

  • Chrome: Go to Settings > Search engine > Manage search engines and site search. Ensure the default is not set to perplexity-ai[.]online.

Step 3: Clear Browser Data

  • Clear cookies, cached images, and site data to remove any tracking artifacts.

Step 4: Rotate Credentials

  • If you searched for sensitive information (e.g., internal systems, project names), consider rotating any credentials that may have been exposed through search queries.

Step 5: Report the Incident

  • Report the installation to your security team for further investigation.

What Undercode Say

  • Key Takeaway 1: The attack exploited user trust in AI brands, not a browser vulnerability. This represents a fundamental shift from technical exploitation to social engineering—AI-themed phishing now extends to browser extensions.

  • Key Takeaway 2: Manifest V3 is not a silver bullet. While it improves security, attackers are already adapting by abusing legitimate APIs like declarativeNetRequest. Organizations cannot rely on browser vendors alone; they must implement their own governance and monitoring.

Analysis: This campaign is a wake-up call for security leaders. Enterprise AI adoption is accelerating faster than security governance, creating a dangerous gap that attackers are eager to exploit. The extension’s modular design—with separate rule files for Perplexity, Google, and Bing—suggests the operators planned to scale the attack. The inclusion of server-side logging code and the potential to run WebAssembly later indicates a sophisticated operation with long-term objectives. As Vibhum Dubey noted, “Users also expect AI tools to request broad permissions to access websites and browser content, allowing malicious permission requests to blend in with legitimate functionality”. This blending effect makes detection exceptionally difficult for average users. The response must be multi-layered: technical controls (allowlisting, monitoring), user education (verifying publishers and permissions), and governance (policies that treat AI-branded extensions as high-risk).

Prediction

  • +1 Expect a surge in AI-branded browser extensions as attackers replicate this playbook across ChatGPT, Claude, Gemini, and other popular AI platforms. The barrier to entry is low—register a typosquatted domain, create a convincing UI, and abuse standard extension APIs.

  • -1 Most organizations will remain unprepared for this threat. Browser extension security is often overlooked in favor of email and endpoint controls, leaving a wide-open data exfiltration channel.

  • +1 Browser vendors will likely tighten extension review processes and introduce additional permission warnings for APIs like declarativeNetRequest. However, attackers will continue to find creative ways to abuse legitimate functionality.

  • -1 The gap between enterprise AI adoption and security governance will widen, creating more opportunities for attackers to exploit employee enthusiasm for new AI tools. Security teams must catch up quickly or risk becoming the next headline.

  • +1 This incident will accelerate the adoption of enterprise browser management solutions that provide visibility and control over extensions, default search settings, and network traffic. Organizations that proactively implement these controls will be better positioned to defend against the coming wave of AI-themed browser threats.

▶️ Related Video (72% Match):

https://www.youtube.com/watch?v=5ik4G-rc91I

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Mayura Kathiresh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky