← Back to Daily Briefing

A malicious Chromium extension masquerading as a Perplexity AI tool leveraged Manifest V3 (MV3) APIs to intercept and log real-time address bar keystrokes before user submission. By implementing a redirection pattern (User $\rightarrow$ Attacker Intermediary $\rightarrow$ Legitimate Search Provider), the threat actor captured sensitive queries, PII, and credentials without disrupting the user experience. This human-layer attack highlights a critical governance gap in browser extension auditing, allowing for silent reconnaissance and intellectual property theft within corporate environments via attacker-controlled intermediary infrastructure.

  • Attack Vector: AI-Brand Impersonation

    • Leveraged the rapid adoption and trust of Perplexity AI to conduct "human-layer" social engineering.
    • Distributed as a Chromium extension requiring broad website access permissions to facilitate data interception.
    • Designed to maintain a functional browsing experience to avoid triggering user suspicion or immediate removal.
  • Technical Mechanics: MV3 Interception

    • Utilized Manifest V3 (MV3) APIs specifically designed for search redirection and browser interception.
    • Implemented real-time keystroke logging in the address bar, capturing data before the user pressed the "Enter" key.
    • Routed all intercepted traffic through attacker-controlled intermediary servers before forwarding the request to the legitimate search provider.
  • Impact & Operational Risk

    • Data Compromise: Targeted PII, corporate credentials, and sensitive business intellectual property contained within search intent.
    • High Stealth: The transparent nature of the redirection ensured the user observed no latency or functional errors.
    • Reconnaissance Value: Provided attackers with a persistent window into employee workflows and internal corporate queries.
  • Enterprise Governance & Strategic Response

    • Highlighted a systemic blind spot where organizations possess mature software inventories but lack visibility into browser extensions.
    • Necessitates a shift toward secure enterprise browser technologies to enforce centralized extension auditing and allow-listing.
    • Gartner predicts 30% of enterprises will adopt secure browser frameworks by 2029 to mitigate these extension-based risks.
  • Conclusion & Remediation

    • The attack underscores the evolution of AI-themed lures to bypass traditional security awareness training.
    • Immediate defensive actions include auditing installed browser extensions for unauthorized MV3 permissions.
    • Long-term strategy requires integrating browser extension telemetry into broader XDR/SIEM monitoring frameworks.

Related posts

  1. cybersecurity.pk — Malicious Perplexity Chrome Extension Intercepted Searches and Address Bar Input
  2. techjacksolutions.com — Fake Perplexity Extension Captured Every Address Bar Keystroke Before Users Pressed Enter
  3. microsoft.com — Chromium extension uses AI‑related branding to redirect browser search
  4. Thehackernews
  5. csoonline.com — Malicious Chromium extension spoofs Perplexity AI to hijack browser searches
  6. Reddit
  7. Securityboulevard
  8. Malwarebytes
  9. Cybernews
  10. Bleepingcomputer
  11. Techrepublic
  12. Themadhacker
  13. Ground

LINK COPIED TO CLIPBOARD