Fake Perplexity Chrome Extension Spies on User Searches
What Happened — A malicious Chrome extension titled “Search for perplexity ai” was discovered routing every user‑typed query through an attacker‑controlled server, logging the text, IP address, browser headers and user‑agent before forwarding the request to a legitimate search engine. Google removed the extension from the Chrome Web Store, but it remains on any browsers where it was already installed.
Why It Matters for Compliance & Audit Readiness
- The extension exploited overly‑broad Chrome permissions (
chrome_settings_overridesanddeclarativeNetRequest) that were not required for its advertised function—exactly the kind of permission‑bloat a SOC 2 Access Controls audit looks for. - Continuous evidence of “least‑privilege” enforcement and periodic inventory of third‑party software are core controls that can prove due diligence to auditors.
- Security Awareness Training that teaches users to verify extension IDs and permissions helps close the human‑error gap that enabled the install.
Who Is Affected — All Chrome users across industries; particularly enterprises that allow employees to install browser extensions without centralized control (TECH_SAAS, FIN_SERV, EDU_RESEARCH, etc.).
Recommended Actions
- Conduct an immediate inventory of installed extensions; remove any that are not business‑approved.
- Enforce a policy that only approved extensions may be installed, and that required permissions are documented and reviewed.
- Integrate extension‑permission monitoring into your continuous compliance platform to generate audit‑ready evidence of least‑privilege enforcement.
Technical Notes
- Attack vector: malicious Chrome extension leveraging
declarativeNetRequestto intercept and exfiltrate search queries. - No CVE; the issue is a supply‑chain style abuse of the Chrome Web Store review process.
- Data captured: user‑typed queries, IP address, browser headers, user‑agent string.
Source: Malwarebytes Labs