The ChatGPT browser extension hijacks Facebook business accounts
A threat actor may have compromised thousands of Facebook accounts – including corporate accounts – via a sophisticated fake Chrome ChatGPT browser extension that was available on Google’s official Chrome Store until earlier this week.
According to an analysis by Guardio this week, the malicious “Quick access to Chat GPT” extension promised users a quick way to interact with the hugely popular AI chatbot. In reality, it also secretly collected a variety of information from the browser, stole cookies of all authorized active sessions and installed a backdoor that gave the malware author super admin permissions to the user’s Facebook account.
The Quick access to ChatGPT browser extension is just one example of the many ways that threat actors have attempted to capitalize on the tremendous public interest in ChatGPT to proliferate malware and infiltrate systems. An example is an attacker who set up a fake ChatGPT landing page where users, tricked into “logging in”, ended up just downloading a trojan called Fobo. Others have reported a sharp rise in ChatGPT phishing emails and the increasing use of fake ChatGPT apps to distribute Windows and Android malware in recent months.
Targeting Facebook business accounts for a ‘bot army’
Guardio’s analysis showed that the malicious browser extension actually delivered the quick access it promised to ChatGPT, simply by connecting to the chatbot’s API. In addition, however, the extension also collected a complete list of all cookies stored in the user’s browser, including security and session tokens for Google, Twitter and YouTube, as well as for all other active services.
In cases where the user might have had an active, authenticated session on Facebook, the extension accessed Meta’s Graph API for developers. API access gave the extension the ability to collect all data associated with the user’s Facebook account and, more disturbingly, perform a variety of actions on the user’s behalf.
Even more ominously, a component in the extension code enabled the user’s Facebook account to be hijacked, essentially registering a rogue app on the user’s account and tricking Facebook into approving it.
“An application in Facebook’s ecosystem is typically a SaaS service that has been approved to use its specific API,” Guardio explained. By registering an app in the user’s account, the attacker gained full administrator mode on the victim’s Facebook account without having to collect passwords or attempt to bypass Facebook’s two-factor authentication, the security provider wrote.
Whenever the extension encountered a business Facebook account, it quickly gathered all the information related to that account, including currently active promotions, balance, currency, minimum billing threshold, and whether the account might have a credit facility associated with it. “Later, the extension examines all the collected data, prepares it, and sends it back to the C2 server using the following API calls – each based on relevance and data type.”
A financially motivated cybercriminal
Guardio estimated that the threat actor is likely to sell the information gleaned from the campaign to the highest bidder. The company also sees potential for the attacker to create a bot army of hijacked Facebook business accounts, which it could use to post malicious ads using funds from victims’ accounts.
Guardio described the malware as having mechanisms to bypass Facebook’s security measures when handling access requests to its APIs. For example, before Facebook grants access through its Meta Graph API, it first confirms that the request came from an authenticated user and also from a trusted origin, Guardio said. To circumvent the precaution, the attacker injected code into the malicious browser extension that ensured that all requests made to the Facebook website from a victim’s browser changed their headers to appear to come from there as well.
“This gives the extension the ability to freely browse any Facebook page (including API calls and actions) with your infected browser and leave no trace,” Guardio researchers write in the threat report.