Just as Google is putting the final nail in Manifest V2’s coffin with the switch to Manifest V3, security researchers have uncovered a reminder that no browser extension framework is completely immune to abuse.

Microsoft’s Defender Security Research team has identified a malicious Chromium extension disguised as a Perplexity AI search tool that abused Manifest V3 (MV3) capabilities to intercept users’ browser searches before quietly forwarding them to legitimate search engines. Google has since removed the extension from the Chrome Web Store following responsible disclosure.

The timing couldn’t be more notable.

Chrome 150, which started rolling out last week to a limited set of users, removes the final practical workaround that allowed unsupported Manifest V2 extensions to continue running. Google has long argued that Manifest V3 offers a safer extension ecosystem, even as the transition sparked criticism for limiting powerful content blockers like uBlock Origin.

Earlier this month, while removing the last remaining Manifest V2 compatibility flag, a Google engineer explained the reasoning behind the move:

"MV2 extensions are no longer allowed in any supported version of Chrome... We won't be able to provide or maintain this functionality indefinitely due to the complexity and tech debt, as well as the security risks it entails (we've actually found a number of bugs that are specific to MV2 lately). Of course, other browsers can continue supporting these if they so desire."

Manifest-V3-support-discontinue-Manifest-V2-in-Chrome

That statement reinforces Google’s position that retiring Manifest V2 is partly about reducing security risks. But Microsoft’s latest research shows that attackers are already adapting to the newer extension model, not by exploiting a Manifest V3 vulnerability, but by creatively abusing its legitimate capabilities.

According to Microsoft’s analysis, the extension, named “Search for perplexity ai,” impersonated the popular AI search engine using the typosquatted domain perplexity-ai[.]online. It then configured itself as the browser’s default search provider while routing users’ searches through attacker-controlled infrastructure before redirecting them to legitimate search results.

The researchers say the real danger wasn’t simply search redirection.

Because the extension also overrode Chrome’s search suggestions, every character typed into the browser’s address bar could be transmitted to the attackers’ servers before users even pressed Enter. The infrastructure logged search queries, browser details, HTTP headers and IP addresses, effectively turning what appeared to be an ordinary AI search extension into a silent data collection tool.

Interestingly, Microsoft found that the extension relied heavily on Manifest V3’s Declarative Net Request (DNR) APIs. These APIs are intended for legitimate request filtering and redirection, but in this case they enabled a sophisticated “two-hop” workflow: user searches first reached the attacker’s server, where data could be collected, before the browser was immediately redirected to genuine search providers like Perplexity, Google or Bing. The seamless redirect meant victims would likely never realize their searches had been intercepted.

Manifest-V3-vulnerability-with-Chrome-extension

To be clear, Microsoft’s report doesn’t describe a flaw in Manifest V3 itself. Instead, it demonstrates how threat actors can misuse perfectly legitimate browser APIs in ways that are difficult for users to notice. In other words, Manifest V3 raises the security bar, but it doesn’t eliminate the need for careful extension vetting.

The security researchers recommend installing browser extensions only from trusted publishers, verifying official domains before downloading AI-themed tools, and paying close attention to requested permissions especially those involving search settings or network traffic. As AI branding becomes an increasingly effective social engineering lure, Microsoft warns that attackers are likely to continue evolving alongside browser security improvements rather than being stopped by them altogether.

The post Microsoft uncovers malicious Manifest V3 Chrome extension that secretly hijacks Perplexity AI searches appeared first on PiunikaWeb.