Security Program Controls/Technologies, Application security

Malicious ChatGPT Chrome browser extension hijacks Facebook accounts

Fake ChatGPT chrome browser extension downloaded 9,000 times

Threat actors are taking advantage of ChatGPT's popularity for their not-so-noble purposes, this time by creating a trojan version of a legitimate ChatGPT Chrome extension to steal Facebook accounts.

According to security firm Guardio, adversaries created a malicious lookalike version of the actual ChatGPT for Google Chrome extension called "Chat GPT for Google" (note the erroneous gap between the word ChatGPT). Malicious code used in the fake Google Chrome browser extension stole Facebook session cookies from victims and then used the data to compromise Facebook accounts.

The phony extension was downloaded over 9,000 times until Google took it down from the Chrome store Wednesday. The malicious extension was also promoted through sponsored Google search results, targeting users searching for information about OpenAI’s new Chat GPT4 algorithm.

"Based on version 1.16.6 of the open-source project, this FakeGPT variant does only one specific malicious action, right after installation, and the rest is basically the same as the genuine code - leaving no reasons to suspect," wrote Nati Tal, head of Guardio Labs, in a blog post.

The malicious extension was published on the Chrome store on February 14, promoted via Google search on March 14 and removed on March 22. Researchers advise, if you downloaded a ChatGPT for Google during this time period, it is safe to check if it is the legitimate version. The official version will show "chatgpt4google.com" as the verified developer with over 2,000,000 users.

Session Cookie capers abound

The one specific malicious intent is to steal Facebook session cookies by leveraging the Chrome Extension API. With those cookies' information in hand, threat actors can easily take over users' Facebook accounts, change login credentials, convert the profile to another "Lilly Collins," and end up posting malicious or extremist content.

This is not the first-time threat actors use malicious extensions to catch up ChatGPT’s popularity. Earlier in February, Gardio found another variant of a malicious fake ChatGPT extension called "Quick access to Chat GPT," which was pushed through Facebook-sponsored posts and harvested every information from users' browsers.


Tal expressed concern over the elevating trend of threat actors abusing ChatGPT brand and popularity for malicious activities, urging both defenders and users to raise awareness.

"Major services offered by Facebook, Google, and other big names are under continuous attack and abuse, while at the end of it all — the ones being mostly hit here are us, the users," he said.

A Google spokesperson confirmed with SC Media that the extension is no longer available from the Chrome Web Store and reiterated that the company "don't allow ads on our platform that use malicious techniques such as phishing."

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.