A malicious ChatGPT extension for Google Chrome targeted high-value Facebook accounts to push paid ads at the expense of its victims, researchers claim.
A malicious browser extension known as “Quick access to Chat GPT” devised a way to take over user Facebook accounts to propagate itself in a “worm-like manner,” researchers at cybersecurity firm Guardio found. Moreover, the extension steals all cookies stored on the browser, including security and session tokens, to services like YouTube, Google accounts, and Twitter.
The extension’s selling point was its supposed ability to provide users with a quick way to use the famous ChatGPT bot directly from the browser. Extension developers even linked users with a legitimate ChatGPT application programming interface (API).
“Although the extension gives you that, it also harvests every information it can take from your browser, steals cookies of authorized, active sessions to any service you have, and also employs tailored tactics to take over your Facebook account,” researchers said.
Interestingly enough, attack operators paid special attention to users with high-profile Facebook business accounts. Threat actors would take over such accounts allowing their self-replicating bot army to promote itself with ads, paid for using funds from the victim’s business account.
Researchers note that the attack is sophisticated: threat actors took pains to provide users with what they are advertising in the extension’s description, and once installed, a popup window appears in the browser, allowing you to prompt ChatGPT as promised.
“Yet, this is exactly where it starts to get fishy. The extension is now an integral part of your browser. Thus, it can send any request to any other service – as if the browser owner itself was initiating this from the same context,” researchers said in a blog post.
Using this technique, attackers can access Meta’s Graph API, which allows them to view user details and act on the victim’s behalf on their Facebook account via API calls. Attackers even devised a way to bypass Facebook’s protective measures by renaming the requests to the server.
If the attackers noticed a Facebook account they wanted to keep for themselves, they would instruct the extension to develop a malicious application for the platform, granting them full admin mode.
“From full control of your Facebook profile and activity to admin powers on all your groups, pages, businesses, and of course, advertisement accounts, they can even manage your connected WhatsApp and Instagram accounts,” researchers claim.
Quick access to Chat GPT first appeared in the Chrome store on March 3 and has been installed over 2,000 times. Google has removed the malicious extension from Chrome’s store following Guardio’s report.
More from Cybernews:
Subscribe to our newsletter