Fake ChatGPT for Google extension hijacks Facebook accounts

A new Chrome extension promising to augment users’ Google searches with ChatGPT also leads to hijacked Facebook accounts, Guardio Labs researchers have found.

While this specific trick isn’t new, this time around the extension also worked as advertised.

“Based on version 1.16.6 of the [ChatGPT for Google] open-source project, this FakeGPT variant does only one specific malicious action, right after installation, and the rest is basically the same as the genuine code — leaving no reasons to suspect,“ says Nati Tal, head of Guardio Labs.

The allure of ChatGPT

ChatGPT is an artificial intelligence chatbot that has become hugely popular very quickly. To use it, people must set up a free account, and they can then upgrade to a paid version to access better features.

To avoid paying for additional features or when looking for a (currently non-existent) desktop or mobile ChatGPT app, users can fall for scams promising to offer exactly what they are looking for, free of charge.

In this case, when searching for ChatGPT via Google Search, users are served with a malicious sponsored ad that first redirects them to a fake ChatGPT for Google landing page, and then to the malicious extension on the official Chrome Store.

From fake ChatGPT extension to hijacked Facebook account

This extension is a copy of the popular “ChatGPT for Google” open-source extension, but is also capable of covert malicious action.

ChatGPT hijacked Facebook

Attack flow from Google Search to compromised Facebook accounts. Source: Guardio Labs

The extension abuses the Chrome Extension API to get a list of Facebook-related session cookies.

“With those cookies, your Facebook session can be quickly overtaken, your basic account login details changed, and from this point further you lose control over your profile with no way to regain it,” Tal explains.

“We’ve seen so many user profiles falling for this lately, many being later abused for pushing more malicious activity inside the Facebook eco-system and even plain and simple propaganda of the worst kind.”

You downloaded the extension. Now what?

According to Guardio Labs, the extension has been downloaded over 9000 times before Google removed it from the Chrome Store. This means that a significant number of users likely had their Facebook account compromised.

If you are among those:

  • Remove the extension
  • Change your Facebook account password
  • Check that the hijackers haven’t added apps to your account that might post things on your behalf (go to Settings -> Apps and Websites)
  • Add 2FA to account (if you haven’t already).

The researchers have also shared indicators of compromise that enterprises can use to detect whether any of their employees have been compromised.

Don't miss