Beware! Fake ChatGPT browser extensions are stealing your login credentials

If you've installed a browser extension to enhance your ChatGPT experience, you might want to think again.

Security researchers have uncovered at least 16 malicious Chrome extensions masquerading as handy ChatGPT productivity tools. Their real purpose? To steal your account credentials and hijack your sessions.

The extensions, which at the time of writing remain available on the Chrome Web Store, promise helpful features like folder organisation, voice downloads, prompt management, and chat history search.

However, in reality they are quietly stealing users' authentication tokens and sending them to a remote server controlled by the attackers.

According to researchers at LayerX who discovered the campaign, all of the malicious extensions appear to be the work of one person or group, using multiple identities in an attempt to distribute them as widely as possible.

The offending extensions do not deploy traditional malware or attempt to exploit flaws in ChatGPT itself. Instead, they hook into the Chrome browser, and intercept outgoing data that contains users' authentication details.

That means that if you are logged into ChatGPT and the extension detects a request which contains an authorisation header, it will extract your session token and send it to the attackers. A cybercriminal with that token can effectively pose as you - accessing your entire ChatGPT chat history, any connected services like Slack or GitHub, and any potentially sensitive information you have shared with the AI.

The good news is that the malware campaign has not yet gained massive traction. Researchers say that at the time of discovery, the Google Chrome web store indicated a mere 900 downloads acros the 16 malicious extensions.

However, that could - of course - change very quickly if one or more of the extensions suddenly became popular.

So, what should you do if you use Google Chrome and ChatGPT?

My advice is to check if you have installed any ChatGPT-related browser extensions recently, and remove any that you have concerns over.

The security researchers who uncovered the malware campaign have listed the names of the extensions that have been identified so far (although, of course, it is possible that more have been used - or could still be):

• ChatGPT folder, voice download, prompt manager - ChatGPT Mods
• ChatGPT voice download, TTS download - ChatGPT Mods
• ChatGPT pin chat, bookmark - ChatGPT Mods
• ChatGPT message navigator, history scroller - ChatGPT Mods
• ChatGPT model switch - ChatGPT Mods
• ChatGPT export - ChatGPT Mods
• ChatGPT Timestamp Display - ChatGPT Mods
• ChatGPT bulk delete, Chat manager - ChatGPT Mods
• ChatGPT search history - ChatGPT Mods
• ChatGPT prompt optimization - ChatGPT Mods
• Collapsed message - ChatGPT Mods
• Multi-Profile Management & Switching - ChatGPT Mods
• Search with ChatGPT - ChatGPT Mods
• ChatGPT Token counter - ChatGPT Mods
• ChatGPT Prompt Manager, Folder, Library, Auto Send - ChatGPT Mods

If you spot any of these extensions are being used by your browser, remove them immediately. You would also probably be wise to change your OpenAI password for good measure, and review your computer security.

In general it is important to be cautious about browser extensions - and in particular those which offer to enhance AI services. The rapid adoption of AI tools makes them an increasingly attractive target for cybercriminals.

Before installing any extension, check the publisher's reputation, read reviews, and ask yourself whether you really need yet another add-on cluttering up your browser.