HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Fake Perplexity AI Chrome Extension Hijacks Search Queries and Logs Browsing Data

A counterfeit Perplexity AI Chrome extension intercepted every address‑bar query, routing it through attacker‑controlled servers and logging the data. The threat targets any organization that permits unsanctioned browser add‑ons, highlighting the need for strict access‑control and security‑awareness controls in a SOC 2 program.

LiveThreat™ Intelligence · 📅 July 01, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Fake Perplexity AI Chrome Extension Hijacks Search Queries and Logs Browsing Data

What Happened — A malicious Chrome Web Store extension titled “Search for perplexity ai” masqueraded as the legitimate Perplexity AI search assistant. Once installed, it overwrote the browser’s default search provider via chrome_settings_overrides and routed every address‑bar query through the attacker’s servers, logging the full query and browsing context. Microsoft’s threat intel team found no credential theft, but the extension’s permissions (DNR, URL rewriting, redirection) would enable it to expand data collection at any time.

Why It Matters for Compliance & Audit Readiness

  • The scenario illustrates a failure of access‑control policies for browser extensions—exactly the type of control SOC 2 CC6.1 (Logical Access) is designed to protect.
  • Continuous evidence of extension vetting and user‑awareness training provides a defensible audit trail that demonstrates due diligence under the SOC 2 CC6.2 (Least Privilege) and CC7 (Security Awareness) criteria.

Who Is Affected — Primarily users of Chrome browsers in technology‑SaaS, cloud‑infrastructure, and professional services environments; any organization that allows employees to install browser add‑ons without strict controls.

Recommended Actions

  • Instruct all users to remove the “Search for perplexity ai” extension (ID flkebkiofojicogddingbdmcmkpbplcd).
  • Enforce a whitelist‑only policy for Chrome extensions and integrate extension inventory into your endpoint‑security platform.
  • Update SOC 2 access‑control policies to require documented approval and periodic review of any third‑party browser add‑ons.
  • Conduct a security‑awareness refresher focused on the risks of unofficial extensions and the importance of verifying publisher authenticity.

Source: BleepingComputer

Technical Notes

  • Attack vector: Malicious Chrome extension leveraging chrome_settings_overrides and Declarative Net Request (DNR) permissions to hijack the Omnibox search flow.
  • Data collected: Full search queries, real‑time suggestions, and inferred browsing behavior; no credentials observed.
  • Infrastructure: Requests routed to perplexity‑ai.online, a domain mimicking the legitimate perplexity.ai.

Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/fake-perplexity-extension-on-chrome-web-store-tracked-searches/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →