Malicious Chrome Extension Impersonates Perplexity AI, Hijacks Search Traffic
A deceptive Chrome extension, masquerading as the popular **Perplexity AI** search assistant, has been found intercepting user search queries and collecting browsing data. Discovered by **Microsoft Threat Intelligence**, the extension rerouted traffic through its own infrastructure, raising significant privacy concerns for users.
A new threat has emerged in the **Chrome Web Store**, targeting users seeking AI-powered search tools. A malicious extension, deceptively named "Search for perplexity ai," has been actively intercepting search traffic and gathering browsing information.
### Deceptive Tactics and Data Interception
The rogue extension, identified by **Microsoft Threat Intelligence** researchers, routed all search queries and real-time suggestions through its own infrastructure before redirecting users to legitimate search services. While **Microsoft** noted no evidence of credential theft, the extension's extensive permissions create a clear pathway for more significant data exfiltration should the operators choose to expand their scope.
**Perplexity AI** is a legitimate research assistant known for synthesizing web information into direct, conversational responses. Its official Chrome extension is titled βPerplexity β AI Search.β The imposter extension, however, used similar branding and a deceptive domain, βperplexity-ai[.]online,β to mislead users.

Upon installation, the malicious extension immediately alters the browser's search settings. It replaces the default search provider and funnels all address-bar queries through the attacker's intermediary infrastructure.
**Microsoft** elaborated on this behavior, stating, βThe extension overrides browser search settings through `chrome_settings_overrides` to replace the browser default search provider as well as intercept and redirect all queries in a **Chromium** browserβs **Omnibox** to an intermediary infrastructure not associated with the official vendor domain.β
### Intentional Data Collection and Permissions Abuse
The level of data collection exhibited by the extension is far from accidental. **Microsoft** found logging code on the extensionβs server, indicating a deliberate design for data harvesting. Furthermore, the extension requests powerful **DNR** permissions, enabling traffic redirection, URL rewriting, and selective request filtering β capabilities that are inconsistent with the expected behavior of a legitimate AI assistant.
While direct credential theft wasn't observed, the confirmed data collection routines allow for extensive user profiling. This creates potential avenues for future exploitation, including targeted phishing or other social engineering attacks.
Users who have installed an extension with the ID βflkebkiofojicogddingbdmcmkpbplcdβ are strongly advised to remove it immediately from their browser. As a precautionary measure, it is also recommended to rotate passwords for critical online accounts.