Malicious ChatGPT Chrome Extension Hijacks Facebook Accounts

Written by

Security researchers have warned of yet another security threat using public interest in ChatGPT to propagate – this time under the guise of a Chrome extension.

Guardio claimed in a blog post that threat actors forked a legitimate open source “ChatGPT for Google” extension and added malicious code designed to steal Facebook session cookies.

 Users were then directed to the extension by malicious sponsored search engine results.

“So, you search for ‘Chat GPT 4,’ eager to test out the new algorithm, ending up clicking on a sponsored search result promising you just that,” Guardio explained.

“This redirects you to a landing page offering you ChatGPT right inside your search results page – all that’s left is to install the extension from the official Chrome Store. This will give you access to ChatGPT from the search results, but will also compromise your Facebook account in an instant.”

Read more on ChatGPT threats: Phishing Sites and Apps Use ChatGPT as Lure.

The malicious extension is particularly difficult to tell apart from the legitimate version on which it’s based, as the code differs in just one respect.

“Looking at the “OnInstalled” handler function that is triggered once the extension is installed, we see the genuine extension just using it to make sure you see the options screen (to log in to your OpenAI account),” Guardio said.

“On the other hand, the forked, turned malicious, code is exploiting this exact moment to snatch your session cookies.”

Once stolen, the cookies are encrypted and exfiltrated, providing threat actors with on-demand access to the compromised accounts, to which they change the log-in details in order to lock the legitimate user out.

Before being removed by Google, the malicious ChatGPT for Chrome extension had over 9000 downloads, the security vendor claimed.

This is the second “FakeGPT” extension Guardio has discovered, the first of which was distributed via sponsored Facebook posts.

Editorial image credit: Alexander56891 /

What’s hot on Infosecurity Magazine?