A threat actor has created 16 browser extensions to steal users’ ChatGPT sessions and published them to the official Chrome and Edge stores, LayerX reports.
Banking on the increased adoption of AI-powered browser extensions that fulfill users’ productivity needs, the threat actor published 15 extensions to the Chrome Web Store and one to the Microsoft Edge Add-ons marketplace.
Marketed as ChatGPT enhancement and productivity tools, the extensions have a combined download count of over 900, and they were still available through the official marketplaces as of January 26, LayerX says.
The tools were designed to intercept users’ ChatGPT session authentication tokens and send them to a remote server, but they don’t exploit ChatGPT vulnerabilities to do so.
Instead, they inject a content script into chatgpt.com and execute it in the MAIN JavaScript world.
The script monitors outbound requests initialized by the web application, to identify and extract authorization headers and send them to a second content script, which exfiltrates them to the remote server.
“This approach allows the extension operator to authenticate to ChatGPT services using the victim’s active session and obtain all users’ history chats and connectors,” LayerX notes.
The cybersecurity company explains that the content scripts in the MAIN JavaScript enable the attacker to interact directly with the page’s native runtime, instead of relying on the browser’s content-script environment.
The analyzed extensions were also seen exfiltrating extension metadata, usage telemetry and event data, and access tokens issued by the backend and used by the extension service.
“This data allows the attacker to further expand access tokens and enables persistent user identification, behavioral profiling, and long-lived access to third-party services,” LayerX says.
Based on the use of a shared codebase, publisher characteristics, and similar icons, branding, and descriptions, the cybersecurity firm believes a single threat actor is behind all 16 extensions.
“By combining MAIN-world execution with authentication token interception, the operators obtained persistent access to user accounts while remaining within the boundaries of standard web behavior. Such techniques are particularly difficult to detect using traditional endpoint or network security tools,” LayerX notes.
Related: ‘Stanley’ Malware Toolkit Enables Phishing via Website Spoofing
Related: Anthropic MCP Server Flaws Lead to Code Execution, Data Exposure
Related: Chainlit Vulnerabilities May Leak Sensitive Information
Related: Weaponized Invite Enabled Calendar Data Theft via Google Gemini
