ChatGPT Browser Extension Hijacks Facebook Business Accounts

ChatGPT Browser Extension Hijacks Facebook Business Accounts

A threat actor may have compromised thousands of Facebook accounts — including business accounts — through a sophisticated fake Chrome ChatGPT browser extension that, until earlier this week, was available in Google’s official Chrome Store .

According to this week’s analysis from Guardio, the malicious extension “Quick access to Chat GPT” promised users a quick way to communicate with very popular AI chatbot. In fact, it also secretly obtained a wide range of information from the browser, stole the cookies of all authorized active sessions, and installed a backdoor that gave super-admin permissions to the author of the Facebook malware user account.

ChatGPT’s Quick access browser extension is just one example of the many ways in which threat actors attempt to use the massive public interest in ChatGPT to distribute malware and infiltrate systems. An example is an adversary setting up a fake ChatGPT landing page, where users are tricked into “sign up” Just finished downloading a Trojan called Fobo. Others have reported a sharp increase in ChatGPT-themed phishing emails in recent months, and the growing use of fake ChatGPT apps to spread Windows and Android malware.

Targeting Facebook Business Accounts for a “Bot Army”

Guardio’s analysis showed that the malicious browser extension actually delivered on the quick access it promised to ChatGPT, simply by connecting to the chatbot’s API. But, in addition, the extension also obtains a complete list of all cookies stored in the user’s browser, including security and session tokens on Google, Twitter, and YouTube, and on any other active service.

In cases where the user may have had an active, authenticated Facebook session, the extension accessed Meta’s Graph API for developers. API access gave the extension the ability to retrieve all the data associated with the user’s Facebook account, and more worryingly, perform various actions on the user’s behalf.

More frighteningly, a component in the extension code allowed the hijacking of a user’s Facebook account by registering a rogue app with the user’s account and getting Facebook to approve it.

“An application under Facebook’s ecosystem is basically a SaaS service that has been approved to use its special API,” Guardio explained. Thus, by registering an app with the user’s account, the threat actor gained full admin mode on the victim’s Facebook account without having to harvest passwords or trying to bypass Facebook’s two-factor authentication, wrote of the security vendor.

If the extension encounters a Business Facebook account, it quickly harvests all information pertaining to that account, including currently active promotions, credit balance, currency, minimum billing limit, and whether the account may have credit facility related to it. “Later, the extension analyzes all the harvested data, prepares it, and sends it back to the C2 server using the following API calls — each by relevance and data type.”

A Financially Motivated Cybercriminal

Guardio speculates that the threat actor will likely sell the information it has harvested from the campaign to the highest bidder. The company also sees the potential for the attacker to create a bot army of hijacked Facebook Business accounts, which it can use to post malicious ads using money from victims’ accounts.

Guardio described the malware as having mechanisms for bypassing Facebook’s security measures when handling requests to access its APIs. For example, before Facebook grants access through its Meta Graph API, it first confirms that the request is from an authenticated user and also from a trusted source, Guardio said. To avoid detection, the threat actor included code in a malicious browser extension that ensured that all requests to the Facebook website from a victim’s browser had their headers modified so that they appeared to originate from them as well.

This gives the extension the ability to freely browse any Facebook page (including making API calls and actions) using your infected browser and without any trace,” Guardio researchers wrote in the report about the threat .