Type “Perplexity” into the Chrome Web Store and you get a range of browser extensions offering access to the popular AI search service. Until last week, one of them was called “Search for perplexity ai,” and it delivered something extra that users hadn’t bargained for: a small hidden surveillance operation.
On June 29, Microsoft’s Defender Security Research Team revealed that the extension had been impersonating the real AI search company while secretly recording what users typed. Google took it down, but users who already installed it are still at risk.
How the extension harvested user queries
The extension routed user traffic through the typosquatted domain perplexity-ai[.]online rather than the legitimate perplexity.ai. It requested chrome_settings_overrides, the standard permission that lets an extension become the browser’s default search engine.
But it also asked for a rules-based network permission called declarativeNetRequest (DNR), which allowed it to send users’ searches through a server controlled by the attacker. Microsoft said this extra permission wasn’t necessary for the extension’s advertised purpose, making it a warning sign. Neither raised a flag during Web Store review, though.
Using these permissions, searches entered into Chrome’s address bar were first funneled through an attacker-controlled server, allowing it to see users’ searches and log each request along with the IP address, browser headers, and user-agent string.
Then it forwarded the search on to a real search engine so results came back looking normal.
The extension didn’t just include Perplexity in its code. It was also able to redirect traffic to Google and Bing if the developer chose to enable it.
The extension also had access to Chrome’s search suggestion feed, which powers predictive autocomplete. That meant the interception happened in real time. Anything typed, even if it was deleted before pressing Enter, still went to the operator’s server.
Based on all of this, Microsoft concluded the surveillance was the point, not a side effect of the redirect architecture. No operator has been publicly identified.
Taking it out of the store doesn’t uninstall it
Google removed the extension after Microsoft’s disclosure, but that doesn’t remove it from the browsers of people who already installed it. If you added “Search for perplexity ai” at any point, it is still sitting in your extensions list until you uninstall it manually, which we advise you to do right away.
How to uninstall it
Open chrome://extensions/, turn on Developer mode, and check the 32-character ID of every extension you have installed. Extension names in Chrome are not unique, and criminals rely on that. Compare each ID against the one listed on the developer’s official website before you trust it.
Uninstall anything you don’t use. A smaller extension list is a smaller attack surface. Only grant the permissions an extension needs to do its job. And be extra careful about checking the publisher behind an extension, along with the domains it uses.
This is not a Perplexity-only problem
A Stanford and CISPA study found that malicious extensions remain in the Chrome Web Store for about 380 days on average before removal. AI branding just makes the bait shinier and more appealing.
In January, researchers found malicious Chrome extensions spying on ChatGPT sessions, while a separate campaign last year vacuumed up AI chats without victims’ knowledge and sent them on to a data broker.
Another campaign, involving an extension called AITOPIA, impersonated AI-related tools and reached more than 900,000 users. That campaign targeted ChatGPT and DeepSeek chat histories rather than search queries.

