Fake Perplexity Chrome Extension Hijacks Search Queries, Sends Data to Attacker Servers
What Happened — Microsoft disclosed a malicious Chrome extension masquerading as the “Perplexity AI” assistant. The extension intercepts users’ omnibox searches and forwards the queries to attacker‑controlled servers, effectively harvesting browsing intent and any entered credentials.
Why It Matters for Compliance & Audit Readiness
- Unapproved software installations bypass logical‑access controls, a direct violation of SOC 2 CC6.1 (System Operations) and CC6.2 (Change Management).
- The incident underscores the need for documented policies on third‑party browser extensions and continuous monitoring of endpoint configurations.
- Demonstrates the importance of Security Awareness Training to prevent users from installing rogue extensions that can lead to data exfiltration.
Who Is Affected — Enterprises across all sectors that allow employees to use Chrome on corporate devices, especially SaaS‑heavy tech firms and remote‑work environments.
Recommended Actions
- Conduct an immediate inventory of installed Chrome extensions and remove any that are not on an approved list.
- Enforce a policy that blocks installation of extensions from unverified sources; map this to SOC 2 CC6.1 and CC6.2 controls.
- Update Security Awareness Training to include a module on vetting browser extensions and recognizing social‑engineering lures.
- Enable continuous endpoint monitoring to capture unauthorized extension installations as audit evidence. Source: TechRepublic
Technical Notes – The extension hijacks Chrome’s omnibox search feature, redirects the query to attacker‑controlled URLs, and logs the payload. No CVE is associated; the threat vector is a malicious browser extension (malware). Data types captured include search terms, URLs, and any credentials typed into search fields. Source: TechRepublic