ChatGPT or FakeGPT? Avoiding Data Leak or Loss from Malicious Extensions
Generative AI is dominating headlines, and users are chomping at the bit to try it for themselves. ChatGPT eclipses other tools in popularity, giving users the power of a natural language processing tool driven by AI technology. But this impressive tool opens a formidable new frontier of security concerns: Threat actors are weaponizing the interest in ChatGPT with malicious extensions masquerading as ChatGPT extensions.
In this article, we’ll use the Spin.AI Risk Assessment, recommended by Google, to identify the security, compliance, and operational risks of today’s most popular ChatGPT Chrome extensions.
Fake ChatGPT extension hijacks Facebook accounts
Recent news exposed a fraudulent extension posing as a legitimate Chat GPT Chrome browser extension, installed by over 9,000 users. Advertised on Facebook as a tool to help users enhance their search engine with ChatGPT, the extension instead acted as a Trojan horse and hijacked Facebook accounts undetected. The extension was quickly removed from the storefront – but not before stealing login credentials of at least 6,000 corporate accounts and 7,000 virtual private network accounts.
Unregulated ChatGPT extensions are cropping up faster than they can be taken down. Spin.AI’s security researchers reviewed the Chrome Web Store and discovered that 3 months ago, there were only 11 extensions for ChatGPT: today, there are over 200 and counting.
Chrome Extension: ChatGPT for Google
Our recent study shows that 75% of SaaS applications are considered high-risk. Using the Spin.AI App Risk Assessment, we were able to analyze the most popular extension in the Chrome Web Store today: ChatGPT for Google.
With over 2 million installations, this extension claims to enhance users’ search engine capabilities with ChatGPT. It also received a badge of having a consistently positive track record with Google services – appearing, at first glance, as a legitimate Chrome extension. Let’s take a closer look at its potential security and compliance risks.
Spin.AI Risk Score: 40 out of 100
This extension risk scores a surprising 40 out of 100 in our Spin.AI Chrome Extension Risk Assessment. Here are some of the risks we discovered:
Security Risk: Wide Scope of Permissions
The extension requests the following scope of permissions:
- Requesting read/write permissions
- Chrome.storage: provides an extension-specific way to persist user data and state
The extension is requesting read/write permissions on browsers and the ability to inject scripts as needed. This is a dangerous amount of access.
Compliance Risk: Unknown Developer
- The developer’s name cannot be determined. This Chrome Extension is registered on an individual Gmail account at email@example.com.
- It’s offered by a one-page website at chatgpt4google.com, with no official phone number or address
An app or browser extension that isn’t registered by an identified developer may:
- Contain harmful code or malware
- Not be supported or updated to address vulnerabilities
- Get access to more sensitive data than is required for its services
Compliance Risk: High
This extension appears to be developed and maintained by an individual developer rather than an organization – meaning:
- It’s unlikely to have independent audit reports
- The developer’s jurisdiction cannot be determined
Most ChatGPT extensions available on the Chrome Web store today are, by the same standards, alarmingly high risk. We were also able to identify the following popular ChatGPT extensions as high and medium risks:
- ChatGenie for ChatGPT: 41/100
- ChatGPT Writer: 42/100
- ChatGPT Assistant – Smart Search: 44/100
- LINER:ChatGPT for Google Search & Highlighter: 50/100
- ChatGPT as a New Tab: 58/100
A malicious extension is capable of:
- Stealing sensitive personal information and login credentials
- Displaying unwanted targeted ads
- Slowing browser speeds
- Injecting malicious code/malware
Once installed, these extensions can have access to your machine, your activity, your sensitive data, and your entire environment.
How can I reduce the risk of data leak using ChatGPT extensions?
To combat the growing risk of malicious extensions, Google has recently integrated Spin.AI Risk Assessment directly into the Google Workspace Admin console.
The Spin.AI App Risk Assessment helps organizations protect against leaking sensitive data through any type of browser extension – including ChatGPT extensions. Spin.ai provides organizations with full visibility into any browser extensions connected to their SaaS environment and timely response capabilities when unauthorized high-risk extensions are detected.
How does Spin.AI assess risk?
- Based on the OWASP framework
- Considers over 15+ characteristics for each detected SaaS application or browser extension
- Provides an easy-to-view assessment with the ability to drill down on each application’s possible business, security, or compliance risks
- Delivers a detailed and intuitive scoring system (from 0 to 100) for SecOps teams to zero in on the riskiest applications
- Automates installation detection and assessment, along with updates on when OAuth tokens were last refreshed
- Provides granular controls and risk-based policies to automate SaaS management
- Creates policies to allow or block applications or extensions based on their:
- Risk Score
- Scope of Permissions
- Application ID
- Application Name
Get a real-time risk assessment for malicious browser extensions here.
Was this helpful?
How Can You Maximize SaaS Security Benefits?
Let's get started with a live demo
Latest blog posts
With many businesses relying on SaaS environments, SaaS security has become critical. Learn the best practices of SaaS security that […]
The number of ransomware attacks has been growing steadily for the past years. So have the ransom payments. Experts predict […]