Security News

Google has stepped in to remove a bogus Chrome browser extension from the official Web Store that masqueraded as OpenAI's ChatGPT service to harvest Facebook session cookies and hijack the accounts. The "ChatGPT For Google" extension, a trojanized version of a legitimate open source browser add-on, attracted over 9,000 installations since March 14, 2023, prior to its removal.

A new Chrome extension promising to augment users' Google searches with ChatGPT also leads to hijacked Facebook accounts, Guardio Labs researchers have found. In this case, when searching for ChatGPT via Google Search, users are served with a malicious sponsored ad that first redirects them to a fake ChatGPT for Google landing page, and then to the malicious extension on the official Chrome Store.

Google has removed a ChatGPT extension from the Chrome store that steals Facebook session cookies - but not before more than 9,000 users installed the account-compromising bot. The malicious extension - Chat GPT For Google - is very similar in name and code to the real ChatGPT For Google extension.

A trojanized version of the legitimate ChatGPT extension for Chrome is gaining popularity on the Chrome Web Store, accumulating over 9,000 downloads while stealing Facebook accounts. The extension is a copy of the legitimate popular add-on for Chrome named "ChatGPT for Google" that offers ChatGPT integration on search results.

OpenAI has disabled ChatGPT’s privacy history, almost certainly because they had a security flaw where users were seeing each others’ histories.

Although OpenAI is an established organization with many years of experience promoting and developing AI systems, the relative immaturity of the ChatGPT application, combined with the lack of security assurance available for OpenAI, can put organizations at risk. In this Help Net Security video, Meghan Maneval, Director of Technical Product Management, Reciprocity, discusses why companies considering the utilization of ChatGPT internally must ensure the tool and the provider undergo the same third-party risk management process as any other application.

The cybersecurity industry can leverage GPT-3 potential as a co-pilot to help defeat attackers, according to Sophos. The latest report details projects developed by Sophos X-Ops using GPT-3's large language models to simplify the search for malicious activity in datasets from security software, more accurately filter spam, and speed up analysis of "Living off the land" binary attacks.

However the technology sophistication raises inevitable question: what are the drawbacks of ChatGPT and similar technologies? With capabilities to generate a multitude of realistic responses, ChatGPT could be used to create a host of responses capable of tricking an unassuming reader into thinking a real human is behind the content. ChatGPT takes a complex prompt and generates a full response, potentially spanning multiple paragraphs.

Skyhigh Security has seen firsthand how 33,000 enterprise users have accessed ChatGPT through corporate infrastructures. Almost 7 TB of data has been transacted with ChatGPT through corporate web and cloud assets between Nov 2022 - Feb 2023.

A fake ChatGPT-branded Chrome browser extension has been found to come with capabilities to hijack Facebook accounts and create rogue admin accounts, highlighting one of the different methods cyber criminals are using to distribute malware. "By hijacking high-profile Facebook business accounts, the threat actor creates an elite army of Facebook bots and a malicious paid media apparatus," Guardio Labs researcher Nati Tal said in a technical report.