Some ChatGPT browser extensions are stealing your data
ChatGPT users beware: your browser extensions could be used to steal your accounts and identity.
LayerX Research has identified at least 16 Chrome browser extensions for ChatGPT floating around the internet that promise to enhance work productivity. All show signs of being built by the same threat actor and designed for the same purpose: to pilfer account credentials.
According to security researcher Natalie Zargarov, as legitimate AI browser extensions have become more widely used, “many of these extensions mimic known brands to gain users’ trust, particularly those designed to enhance interaction with large language models.”
“As these extensions increasingly require deep integration with authenticated web applications, they introduce a materially expanded browser attack surface,” Zargarov wrote.
That’s what the threat actor appears to have done in this case. The malicious extensions do not deploy malware or attack the model directly, they instead exploit vulnerabilities in the web-based authentication process used to verify ChatGPT users.
In order to work, many of these tools need access to authenticated AI sessions and high-level execution privileges within the browser itself. That combination of “high privilege, user trust and rapid adoption” makes them attractive targets to compromise for threat actors.
All but one of the extensions compromised their victims in the same way. A script injected into chatgpt.com monitors outbound requests coming from the ChatGPT web application. When a request goes out containing authorization details and the user’s session token data, the malicious extension extracts the information to a remote server.
With the user’s token in hand, the attackers can use them to authenticate ChatGPT sessions under the victim’s identity, access chat histories and applications that connect ChatGPT to other sensitive data sources, like Slack and GitHub.
Beyond token theft, the browser extensions also send metadata, usage telemetry and backend-issued access tokens used by the extension service to a third-party server.
The browsers share similar codebases used across different identities, consistent publisher characteristics across multiple listings and “highly similar icons, branding and descriptions.” In addition to their overlapping advertised functionality for enhancing productivity, they also displayed overlapping behaviors such as uploading batches of extensions on the same day, synchronized updates to several extensions at once, share backend infrastructure and web domains.
According to Zagarov’s blog, all 16 of the malicious extensions remain available on the Chrome Web Store today. CyberScoop has reached out to Google, which manages the Chrome browser, for comment.
All told, downloads have been low: about 900 total across the 16 browser extensions LayerX identified. Zagarov notes this is “a drop in the bucket” compared to other major browser extension campaigns like GhostPoster, which was downloaded more than 830,000 times and the Roly Poly VPN extension, which had over 31,000 documented installations.
But Zagarov said given the increasing popularity of AI browser extensions and the evidence that other actors are targeting the same weaknesses, time is not on defenders’ side.
“It just takes one iteration for a malicious extension to become popular,” Zargarov wrote. “We believe that GPT optimizers will soon become as popular as (not more than) VPN extensions, which is why we prioritized the publication of this analysis. Our goal is to shut it down BEFORE it hits critical mass.”
