ChatGPT Browser Extension Hijacks Facebook Business Accounts

  /     /     /  
Publicated : 23/11/2024   Category : security


ChatGPT Browser Extension Hijacks Facebook Business Accounts


Between March 3 and March 9, at least 2,000 people a day downloaded the malicious Quick access to ChatGPT Chrome extension from the Google Play app store.



A threat actor may have compromised thousands of Facebook accounts — including business accounts — via a sophisticated fake Chrome ChatGPT browser extension which, until earlier this week, was available on Googles official Chrome Store.
According to an analysis this week from Guardio, the malicious Quick access to Chat GPT extension promised users a quick way to interact with the
hugely popular AI chatbot
. In reality, it also surreptitiously harvested a wide range of information from the browser, stole cookies of all authorized active sessions, and installed a backdoor that gave the malware author super-admin permissions to the users Facebook account.
The Quick access to ChatGPT browser extension is just one example of the many ways in which threat actors have been trying to leverage the enormous
public interest in ChatGPT
to distribute malware and infiltrate systems. One example is an adversary who set up a fake ChatGPT landing page, where users tricked into
signing up
only ended up downloading a Trojan called Fobo. Others have reported a
sharp increase in ChatGPT themed phishing emails
in recent months, and the growing use of
fake ChatGPT apps
to spread Windows and Android malware.
Guardios analysis showed that the malicious browser extension actually delivered on the quick access it promised to ChatGPT, simply by connecting to the chatbots API. But, in addition, the extension also harvested a complete list of all cookies stored in the users browser, including security and session tokens to Google, Twitter, and YouTube, and to any other active services.
In cases where the user might have had an active, authenticated session on Facebook, the extension accessed Metas Graph API for developers. The API access gave the extension the ability to harvest all data associated with the users Facebook account, and more troublingly, take a variety of actions on the users behalf.
More ominously, a component in the extension code allowed hijacking of the users Facebook account by essentially registering a rogue app on the users account and getting Facebook to approve it.
An application under Facebooks ecosystem is usually a SaaS service that was approved to be using its special API, Guardio explained. Thus, by registering an app in the users account the threat actor gained full admin mode on the victims Facebook account without having to harvest passwords or trying to bypass Facebooks two-factor authentication, the security vendor wrote.
If the extension encountered a Business Facebook account, it quickly harvested all information pertaining to that account, including currently active promotions, credit balance, currency, minimum billing threshold, and whether the account might have a credit facility associated with it. Later, the extension examines all the harvested data, preps it, and sends it back to the C2 server using the following API calls — each according to relevancy and data type.
Guardio assessed that the threat actor will probably sell the information it harvested from the campaign to the highest bidder. The company also foresees the potential for the attacker to create a bot army of hijacked Facebook Business accounts, which it could use to post malicious ads using money from the victims accounts.
Guardio described the malware as having mechanisms for bypassing Facebooks security measures when handling access requests to its APIs. For instance, before Facebook grants access via its Meta Graph API, it first confirms that the request is from an authenticated user and also from trusted origin, Guardio said. To circumvent the precaution, the threat actor included code in the malicious browser extension that ensured that all requests to the Facebook website from a victims browser had their headers modified so they appeared to originate from there as well. 

This gives the extension the ability to freely browse any Facebook page (including making API calls and actions) using your infected browser and without any trace, Guardio researchers wrote in the report on the threat.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
ChatGPT Browser Extension Hijacks Facebook Business Accounts