May 15, 2023 | Reading time 9 minutes

ChatGPT or FakeGPT? Avoiding Data Leak or Loss from Malicious Extensions

Generative AI is dominating headlines, and users are chomping at the bit to try it for themselves. ChatGPT eclipses other tools in popularity, giving users the power of a natural language processing tool driven by AI technology. But this impressive tool opens a formidable new frontier of security concerns: Threat actors are weaponizing the interest in ChatGPT with malicious extensions masquerading as ChatGPT extensions. 

In this article, we’ll use the Spin.AI Risk Assessment, recommended by Google, to identify the security, compliance, and operational risks of today’s most popular ChatGPT Chrome extensions.

Fake ChatGPT extension hijacks Facebook accounts

Recent news exposed a fraudulent extension posing as a legitimate Chat GPT Chrome browser extension, installed by over 9,000 users. Advertised on Facebook as a tool to help users enhance their search engine with ChatGPT, the extension instead acted as a Trojan horse and hijacked Facebook accounts undetected. The extension was quickly removed from the storefront – but not before stealing login credentials of at least 6,000 corporate accounts and 7,000 virtual private network accounts. 

Unregulated ChatGPT extensions are cropping up faster than they can be taken down. Spin.AI’s security researchers reviewed the Chrome Web Store and discovered that 3 months ago, there were only 11 extensions for ChatGPT: today, there are over 200 and counting. 


Chrome Extension: ChatGPT for Google

Our recent study shows that 75% of SaaS applications are considered high-risk. Using the Spin.AI App Risk Assessment, we were able to analyze the most popular extension in the Chrome Web Store today: ChatGPT for Google

With over 2 million installations, this extension claims to enhance users’ search engine capabilities with ChatGPT. It also received a badge of having a consistently positive track record with Google services – appearing, at first glance, as a legitimate Chrome extension. Let’s take a closer look at its potential security and compliance risks. 

ChatGPT for Google


Spin.AI Risk Score: 40 out of 100

This extension risk scores a surprising 40 out of 100 in our Spin.AI Chrome Extension Risk Assessment. Here are some of the risks we discovered:

ChatGPT risk assessment

Security Risk: Wide Scope of Permissions

ChatGPT risk assessment

The extension requests the following scope of permissions:

  • Requesting read/write permissions
  • Chrome.storage: provides an extension-specific way to persist user data and state
  • Scripting: allows the extension to inject JavaScript and CSS into websites via API

The extension is requesting read/write permissions on browsers and the ability to inject scripts as needed. This is a dangerous amount of access.

Compliance Risk: Unknown Developer 

ChatGPT chrome extension risk assessment
  • The developer’s name cannot be determined. This Chrome Extension is registered on an individual Gmail account at chatgpt4search@gmail.com.
  • It’s offered by a one-page website at chatgpt4google.com, with no official phone number or address

An app or browser extension that isn’t registered by an identified developer may:

  • Contain harmful code or malware
  • Not be supported or updated to address vulnerabilities
  • Get access to more sensitive data than is required for its services

Compliance Risk: High

ChatGPT risk assessment

This extension appears to be developed and maintained by an individual developer rather than an organization – meaning: 

  • The privacy policy, if present, may be inadequate for legal and compliance uses
  • It’s unlikely to have independent audit reports
  • The developer’s jurisdiction cannot be determined

Most ChatGPT extensions available on the Chrome Web store today are, by the same standards, alarmingly high risk. We were also able to identify the following popular ChatGPT extensions as high and medium risks: 

A malicious extension is capable of: 

  • Stealing sensitive personal information and login credentials
  • Displaying unwanted targeted ads 
  • Slowing browser speeds 
  • Injecting malicious code/malware

Once installed, these extensions can have access to your machine, your activity, your sensitive data, and your entire environment. 


How can I reduce the risk of data leak using ChatGPT extensions?

To combat the growing risk of malicious extensions, Google has recently integrated Spin.AI Risk Assessment directly into the Google Workspace Admin console.  

The Spin.AI App Risk Assessment helps organizations protect against leaking sensitive data through any type of browser extension – including ChatGPT extensions. Spin.ai provides organizations with full visibility into any browser extensions connected to their SaaS environment and timely response capabilities when unauthorized high-risk extensions are detected.


How does Spin.AI assess risk?

  • Based on the OWASP framework
  • Considers over 15+ characteristics for each detected SaaS application or browser extension
  • Provides an easy-to-view assessment with the ability to drill down on each application’s possible business, security, or compliance risks
  • Delivers a detailed and intuitive scoring system (from 0 to 100) for SecOps teams to zero in on the riskiest applications
  • Automates installation detection and assessment, along with updates on when OAuth tokens were last refreshed
  • Provides granular controls and risk-based policies to automate SaaS management 
  • Creates policies to allow or block applications or extensions based on their:
    • Risk Score
    • Scope of Permissions
    • Application ID
    • Category
    • Developer
    • Application Name

Get a real-time risk assessment for malicious browser extensions here.

Was this helpful?

Thanks for your feedback!
Avatar photo

Vice President of Product

About Author

Davit Asatryan is the Vice President of Product at Spin.AI

He is responsible for executing product strategy by overseeing the entire product lifecycle, with a focus on developing cutting-edge solutions to address the evolving landscape of cybersecurity threats.

He has been with the company for over 5 years and specializes in SaaS Security, helping organizations battle Shadow IT, ransomware, and data leak issues.

Prior to joining Spin.AI, Davit gained experience by working in fintech startups and also received his Bachelor’s degree from UC Berkeley. In his spare time, Davit enjoys traveling, playing soccer and tennis with his friends, and watching sports of any kind.


Featured Work:
Webinar:

How Can You Maximize SaaS Security Benefits?

Let's get started with a live demo

Latest blog posts

Expert Insights: SaaS Application Data Protection Fundamentals

SaaS applications appeal to organizations because they make running the application “somebody else’s problem.” However, this is only partially true; […]

Expert Insights: Salesforce SaaS Data Security Fundamentals

Salesforce provides a rich and deep set of tools to allow data and metadata to be exposed selectively to your […]

why you need an extra layer of protection in salesforce

Why you need an extra layer of protection in Salesforce

Salesforce is a leading customer relationship management (CRM) platform many organizations use today. While it is a SaaS platform, it […]