Generative AI is dominating headlines, and users are chomping at the bit to try it for themselves. ChatGPT eclipses other tools in popularity, giving users the power of a natural language processing tool driven by AI technology. But this impressive tool opens a formidable new frontier of security concerns: Threat actors are weaponizing the interest in ChatGPT with malicious extensions masquerading as ChatGPT extensions. In this article, we’ll use the Spin.AI Risk Assessment, recommended by Google, to identify the security, compliance, and operational risks of today’s most popular ChatGPT Chrome extensions.Fake ChatGPT extension hijacks Facebook accountsRecent news exposed a fraudulent extension posing as a legitimate Chat GPT Chrome browser extension, installed by over 9,000 users. Advertised on Facebook as a tool to help users enhance their search engine with ChatGPT, the extension instead acted as a Trojan horse and hijacked Facebook accounts undetected. The extension was quickly removed from the storefront – but not before stealing login credentials of at least 6,000 corporate accounts and 7,000 virtual private network accounts. Unregulated ChatGPT extensions are cropping up faster than they can be taken down. Spin.AI’s security researchers reviewed the Chrome Web Store and discovered that 3 months ago, there were only 11 extensions for ChatGPT: today, there are over 200 and counting. Chrome Extension: ChatGPT for GoogleOur recent study shows that 75% of SaaS applications are considered high-risk. Using the Spin.AI App Risk Assessment, we were able to analyze the most popular extension in the Chrome Web Store today: ChatGPT for Google. With over 2 million installations, this extension claims to enhance users’ search engine capabilities with ChatGPT. It also received a badge of having a consistently positive track record with Google services – appearing, at first glance, as a legitimate Chrome extension. Let’s take a closer look at its potential security and compliance risks. Spin.AI Risk Score: 40 out of 100This extension risk scores a surprising 40 out of 100 in our Spin.AI Chrome Extension Risk Assessment. Here are some of the risks we discovered:Security Risk: Wide Scope of PermissionsThe extension requests the following scope of permissions:Requesting read/write permissionsChrome.storage: provides an extension-specific way to persist user data and stateScripting: allows the extension to inject JavaScript and CSS into websites via APIThe extension is requesting read/write permissions on browsers and the ability to inject scripts as needed. This is a dangerous amount of access.Compliance Risk: Unknown Developer The developer’s name cannot be determined. This Chrome Extension is registered on an individual Gmail™ account at chatgpt4search@gmail.com.It’s offered by a one-page website at chatgpt4google.com, with no official phone number or addressAn app or browser extension that isn’t registered by an identified developer may:Contain harmful code or malwareNot be supported or updated to address vulnerabilitiesGet access to more sensitive data than is required for its servicesCompliance Risk: HighThis extension appears to be developed and maintained by an individual developer rather than an organization – meaning: The privacy policy, if present, may be inadequate for legal and compliance usesIt’s unlikely to have independent audit reportsThe developer’s jurisdiction cannot be determinedMost ChatGPT extensions available on the Chrome Web store today are, by the same standards, alarmingly high risk. We were also able to identify the following popular ChatGPT extensions as high and medium risks: ChatGenie for ChatGPT: 41/100ChatGPT Writer: 42/100LINER: ChatGPT for Google Search & Highlighter: 50/100ChatGPT as a New Tab: 58/100A malicious extension is capable of: Stealing sensitive personal information and login credentialsDisplaying unwanted targeted ads Slowing browser speeds Injecting malicious code/malwareOnce installed, these extensions can have access to your machine, your activity, your sensitive data, and your entire environment. How can I reduce the risk of data leak using ChatGPT extensions?To combat the growing risk of malicious extensions, Google has recently integrated Spin.AI Risk Assessment directly into the Google Workspace™ Admin console. The Spin.AI App Risk Assessment helps organizations protect against leaking sensitive data through any type of browser extension – including ChatGPT extensions. Spin.ai provides organizations with full visibility into any browser extensions connected to their SaaS environment and timely response capabilities when unauthorized high-risk extensions are detected.How does Spin.AI assess risk?Based on the OWASP frameworkConsiders over 15+ characteristics for each detected SaaS application or browser extensionProvides an easy-to-view assessment with the ability to drill down on each application’s possible business, security, or compliance risksDelivers a detailed and intuitive scoring system (from 0 to 100) for SecOps teams to zero in on the riskiest applicationsAutomates installation detection and assessment, along with updates on when OAuth tokens were last refreshedProvides granular controls and risk-based policies to automate SaaS management Creates policies to allow or block applications or extensions based on their:Risk ScoreScope of PermissionsApplication IDCategoryDeveloperApplication NameGet a real-time risk assessment for malicious browser extensions here. Share this article Share this post on Linkedin Share this post on X Share this post on Facebook Share this post on Reddit Was this helpful? Yes No Submit Cancel Thanks for your feedback!