{"id":283761,"date":"2026-06-29T14:40:00","date_gmt":"2026-06-29T18:40:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/29\/malicious-perplexity-chrome-extension-intercepted-searches-and-address-bar-input\/"},"modified":"2026-06-29T16:35:05","modified_gmt":"2026-06-29T20:35:05","slug":"malicious-perplexity-chrome-extension-intercepted-searches-and-address-bar-input","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/29\/malicious-perplexity-chrome-extension-intercepted-searches-and-address-bar-input\/","title":{"rendered":"Malicious Perplexity Chrome Extension Intercepted Searches and Address Bar Input"},"content":{"rendered":"

Malicious Perplexity Chrome Extension Intercepted Searches and Address Bar Input<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/06\/malicious-perplexity-chrome-extension.html<\/a><\/p>\n

Publish Date: 2026-06-29 14:40:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Swati Khandelwal<\/span>\ue802Jun 29, 2026<\/span><\/span>Browser Security \/ Web Security<\/span><\/p>\n

Microsoft has found a malicious Chrome extension that posed as the AI search engine Perplexity and quietly logged what people searched for. It routed every query and every character typed into the address bar through an attacker-controlled server before redirecting users to real results.<\/p>\n

Microsoft says Google removed it from the store after responsible disclosure. The extension was called “Search for perplexity ai” (ID\u00a0flkebkiofojicogddingbdmcmkpbplcd) and used a look-alike domain,\u00a0perplexity-ai[.]online, to pass for the real service at perplexity.ai.<\/p>\n

Microsoft’s Defender research team\u00a0says the point was to intercept searches and collect data. It found no proof of password theft, but far more access than a search box should ever need.<\/p>\n

Once installed, the extension sets itself as the browser’s default search engine. When you searched, the query went first to\u00a0perplexity-ai[.]online, where the attacker’s server logged it with your browser headers, IP address, and user agent.<\/p>\n

A rule then bounced you to a real search engine (Perplexity, Google, or Bing), so the results looked normal. The theft happened on that first stop, before the redirect.<\/p>\n

The address bar made it worse. The extension also pointed the browser’s live search suggestions (the\u00a0suggest_url) to the same attacker domain. So your input went to the attacker’s server before you pressed Enter. Not just finished searches, but every character as you typed it.<\/p>\n

Chrome permits search-provider overrides, and legitimate extensions use them. Rewriting and redirecting your traffic is the part a search box has no business doing. This one asked for the\u00a0declarativeNetRequest\u00a0family of permissions to do exactly that, then shipped server-side code that logged every request. Microsoft calls that proof the collection was deliberate, not a side effect of the redirect.<\/p>\n

\"\"<\/p>\n

The extension also shipped disabled redirect rules for Google and Bing, so the…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Malicious Perplexity Chrome Extension Intercepted Searches and Address Bar Input https:\/\/thehackernews.com\/2026\/06\/malicious-perplexity-chrome-extension.html Publish Date: 2026-06-29 14:40:00…<\/p>\n","protected":false},"author":1,"featured_media":283762,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgOcObOpyIQZzuiNoFu6Lv4jCDh64o1WYrC3stGdk58mMRg69RT56svVrXVwu618f6szk2lj_Tqbt6b7Rg25yV0cauxIDTbMAI8cbftKVYibIt5SMeaOT2zE3oeuu-RLI7M1mkEV3zirqDiO-nLMikX7QixM2EpVIdKQERGc7I_0p58L4J-s5mBjSCpgHc\/s1600\/pp-ai.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26],"class_list":["post-283761","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/283761"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=283761"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/283761\/revisions"}],"predecessor-version":[{"id":283763,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/283761\/revisions\/283763"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/283762"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=283761"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=283761"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=283761"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}