Advisory ID: NCC-CSIRT-200323-016
Summary: Hackers employ a sophisticated fake Chrome ChatGPT browser extension to compromise thousands of Facebook accounts, including high-profile business accounts. According to Jai Vijayan, a writer from DarkReading, at least 2,000 victims downloaded the malicious app from Goole Play app store. Successful exploits take advantage of the substantial level of public interest in ChatGPT to spread malware on the compromise systems.
Vulnerable Platform(s): Google Chrome Browser
Threat Type: Malware
Product : Facebook
Version: All Versions
Description: According to Guardio, a cybersecurity analyst, the fake Chrome ChatGPT browser extension connect with ChatGPT’s API (Application Programming Interface, is a set of defined rules that enable different applications to communicate with each other) to provide the users with instant access to its services. Also, it harvests information from users’ browsers, stealing cookies of authorized, active sessions to any service they have (including security and session tokens for Google, Twitter, YouTube, etc.) and employ tailored tactics to take over the user’s Facebook accounts. Furthermore, to maintain remote access and take full control of the target Facebook profiles, two fake Facebook applications, a portal, and a portion of the ChatGPT extension code are used. The malware is then spread through the use of the infected Facebook profiles, increasing the scope of the attack and the number of compromised accounts.
Note: As of right now, ChatGPT does not have an official browser extension. In fact, "chat.openai.com" is the only location where you can access OpenAI's chatbot right now. Yet, in the future, things could change.
Consquences: A victim can send a request to the OpenAI server for immediate background information theft by opening the extension and typing an inquiry into ChatGPT.
Impact/Probability: CRITICAL/HIGH
Solution :
- File Protections module: to identify the main source of a file access request. Legitimate user? A bot? An attacker? A fake and unauthorized service?
- Web Protection module: to identify fake websites (those used in phishing attempts) and restrict users from visiting them.
- Email Protection module: to scan and alert you when spam email, whether it be links or embedded attachments has been found before you open or click anywhere in the message
References:
https://www.phoneworld.com.pk/fake-chatgpt-browser-extension-steal-data-of-fb-users-report/ https://www.helpnetsecurity.com/2023/03/09/fake-chatgpt-extension/ https://www.archyde.com/malicious-chatgpt-chrome-extension-appears-to-steal-facebook-accounts/