May 15, 2023 | Reading time 4 minutes

ChatGPT or FakeGPT? Avoiding Data Leak or Loss from Malicious Extensions

Generative AI is dominating headlines, and users are chomping at the bit to try it for themselves. ChatGPT eclipses other tools in popularity, giving users the power of a natural language processing tool driven by AI technology. But this impressive tool opens a formidable new frontier of security concerns: Threat actors are weaponizing the interest in ChatGPT with malicious extensions masquerading as ChatGPT extensions. 

In this article, we’ll use the Spin.AI Risk Assessment, recommended by Google, to identify the security, compliance, and operational risks of today’s most popular ChatGPT Chrome extensions.

Fake ChatGPT extension hijacks Facebook accounts

Recent news exposed a fraudulent extension posing as a legitimate Chat GPT Chrome browser extension, installed by over 9,000 users. Advertised on Facebook as a tool to help users enhance their search engine with ChatGPT, the extension instead acted as a Trojan horse and hijacked Facebook accounts undetected. The extension was quickly removed from the storefront – but not before stealing login credentials of at least 6,000 corporate accounts and 7,000 virtual private network accounts. 

Unregulated ChatGPT extensions are cropping up faster than they can be taken down. Spin.AI’s security researchers reviewed the Chrome Web Store and discovered that 3 months ago, there were only 11 extensions for ChatGPT: today, there are over 200 and counting. 

Chrome Extension: ChatGPT for Google

Our recent study shows that 75% of SaaS applications are considered high-risk. Using the Spin.AI App Risk Assessment, we were able to analyze the most popular extension in the Chrome Web Store today: ChatGPT for Google

With over 2 million installations, this extension claims to enhance users’ search engine capabilities with ChatGPT. It also received a badge of having a consistently positive track record with Google services – appearing, at first glance, as a legitimate Chrome extension. Let’s take a closer look at its potential security and compliance risks. 

ChatGPT for Google ChatGPT or FakeGPT How to Avoid Data Leak or Loss from Apps

Spin.AI Risk Score: 40 out of 100

This extension risk scores a surprising 40 out of 100 in our Spin.AI Chrome Extension Risk Assessment. Here are some of the risks we discovered:

ChatGPT risk assessment ChatGPT or FakeGPT How to Avoid Data Leak or Loss from Apps

Security Risk: Wide Scope of Permissions

ChatGPT risk assessment ChatGPT or FakeGPT How to Avoid Data Leak or Loss from Apps

The extension requests the following scope of permissions:

  • Requesting read/write permissions
  • provides an extension-specific way to persist user data and state
  • Scripting: allows the extension to inject JavaScript and CSS into websites via API

The extension is requesting read/write permissions on browsers and the ability to inject scripts as needed. This is a dangerous amount of access.

Compliance Risk: Unknown Developer 

ChatGPT chrome extension risk assessment ChatGPT or FakeGPT How to Avoid Data Leak or Loss from Apps
  • The developer’s name cannot be determined. This Chrome Extension is registered on an individual Gmail account at
  • It’s offered by a one-page website at, with no official phone number or address

An app or browser extension that isn’t registered by an identified developer may:

  • Contain harmful code or malware
  • Not be supported or updated to address vulnerabilities
  • Get access to more sensitive data than is required for its services

Compliance Risk: High

ChatGPT risk assessment ChatGPT or FakeGPT How to Avoid Data Leak or Loss from Apps

This extension appears to be developed and maintained by an individual developer rather than an organization – meaning: 

  • The privacy policy, if present, may be inadequate for legal and compliance uses
  • It’s unlikely to have independent audit reports
  • The developer’s jurisdiction cannot be determined

Most ChatGPT extensions available on the Chrome Web store today are, by the same standards, alarmingly high risk. We were also able to identify the following popular ChatGPT extensions as high and medium risks: 

A malicious extension is capable of: 

  • Stealing sensitive personal information and login credentials
  • Displaying unwanted targeted ads 
  • Slowing browser speeds 
  • Injecting malicious code/malware

Once installed, these extensions can have access to your machine, your activity, your sensitive data, and your entire environment. 

How can I reduce the risk of data leak using ChatGPT extensions?

To combat the growing risk of malicious extensions, Google has recently integrated Spin.AI Risk Assessment directly into the Google Workspace Admin console.  

The Spin.AI App Risk Assessment helps organizations protect against leaking sensitive data through any type of browser extension – including ChatGPT extensions. provides organizations with full visibility into any browser extensions connected to their SaaS environment and timely response capabilities when unauthorized high-risk extensions are detected.

How does Spin.AI assess risk?

  • Based on the OWASP framework
  • Considers over 15+ characteristics for each detected SaaS application or browser extension
  • Provides an easy-to-view assessment with the ability to drill down on each application’s possible business, security, or compliance risks
  • Delivers a detailed and intuitive scoring system (from 0 to 100) for SecOps teams to zero in on the riskiest applications
  • Automates installation detection and assessment, along with updates on when OAuth tokens were last refreshed
  • Provides granular controls and risk-based policies to automate SaaS management 
  • Creates policies to allow or block applications or extensions based on their:
    • Risk Score
    • Scope of Permissions
    • Application ID
    • Category
    • Developer
    • Application Name

Get a real-time risk assessment for malicious browser extensions here.

How Can You Maximize SaaS Security Benefits?

Let's get started with a live demo

Latest blog posts

GDPR Compliance Guide for Google Workspace Administrators

GDPR Compliance Guide for Google Workspace Admins

With companies moving to the cloud, compliance regulations are a pressing priority. In this article, we discuss the General Data […]

How to Protect Sensitive SaaS Data from Browser Extensions

How to Protect Sensitive SaaS Data from Browser Extensions

As the digital era and hybrid work continues to evolve, businesses have become increasingly dependent on platforms like Google Workspace, […]

Spin Technology Announces Salesforce Data Protection SpinAI at RSA 2023

Spin.AI at RSA 2023

Wrapping up a successful RSA Conference 2023!  From a new booth, to 5 awards, to live demos and exciting announcements, […]