Rogue ChatGPT extension FakeGPT hijacked Facebook accounts

A tainted version of the legitimate ChatGPT extension for Chrome, designed to steal Facebook accounts, has thousands of downloads.

Guardio’s security team uncovered a new variant of a malicious Chat-GPT Chrome Extension that was already downloaded by thousands a day.

The version employed in a recent campaign is based on a legitimate open-source project, threat actors added malicious code to steal Facebook accounts.

The legitimate extension is named “ChatGPT for Google” and allows the integration of ChatGPT on search results.

The new malicious Chrome Extension is distributed since March 14, 2023, through sponsored Google search results and uploaded to the official Chrome Store. Experts noticed that it was first uploaded to the Chrome Web Store on February 14, 2023.

According to the researchers, it is able to steal Facebook session cookies and compromise accounts in masses.

“The new variant of the FakeGPT Chrome extension, titled “Chat GPT For Google”, is once again targeting your Facebook accounts under a cover of a ChatGPT integration for your Browser.” reads the post published by Guardio Labs. “This time, threat actors didn’t have to work hard on the look and feel of this malicious ChatGPT-themed extension — they just forked and edited a well-known open-source project that does exactly that. From zero to “hero” in probably less than 2 minutes.”

Netizens searching for “Chat GPT 4” because interested in testing the new algorithm of the latest version of the popular chatbot, end up clicking on a sponsored search result. The link redirects victims to a landing page offering the ChatGPT extension from the official Chrome Store. The extension will give users access to ChatGPT from the search results, but will also compromise their Facebook account.

Once the victim installed the extension, the malicious code uses the OnInstalled handler function to steal Facebook session cookies. Then attackers use stolen cookies to log in to the victim’s Facebook account and take over it.

The malicious code uses the Chrome Extension API to collect a list of cookies used by Facebook and encrypts them with the AES using the key “chatgpt4google.”

The collected cookies are sent to the attackers’ server via a GET request.

“The cookies list is encrypted with AES and attached to the X-Cached-Key HTTP header value. This technique is used here to try and sneak the cookies out without any DPI (Deep Packet Inspection) mechanisms raising alerts on the packet payload (which is why it is encrypted as well).” continues the report. “Only note that there is no X-Cached-Key Header in the HTTP protocol! There is aX-Cache-Key header (without the ‘d’) used for responses, not requests.”

Guardio researchers reported their findings to Google which quickly removed the extension from the Chrome store. At the time of removal, the malicious extension was installed by more than 9000 users.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome)