cybersecurity researchers have identified a series of malicious Google Chrome browser extensions that secretly hijack online shopping affiliate links, steal user data, and collect authentication tokens for OpenAI’s ChatGPT service. The discovery highlights the persistent threat posed by seemingly legitimate software add-ons available in official web stores.
Extension Poses as Ad Blocker
One of the primary extensions under scrutiny is named “Amazon Ads Blocker,” with the internal ID pnpchphmplpdimbllknjoiopmfphellj. It was presented to users as a utility designed to remove sponsored content and advertisements from the Amazon shopping website. Researchers found that after installation, the extension engaged in activities that were not disclosed to users.
The extension operated by intercepting a user’s web traffic. When a user clicked on a product link on Amazon or other e-commerce sites, the malicious code would silently replace the original affiliate tag within the link with one belonging to the attackers. This practice, known as affiliate link hijacking, diverts commission revenue from legitimate content creators and marketers to the operators of the malicious software.
Broader data theft Capabilities
Beyond manipulating referral links, the extensions were equipped with broader data theft functionalities. They had the capability to harvest browsing history, collect personal data entered into forms, and monitor general online activity. This collected information could be used for further targeted attacks or sold on underground cybercrime forums.
A particularly concerning capability involved the theft of authentication tokens for OpenAI’s ChatGPT. By extracting these tokens from the browser’s session data, attackers could potentially gain unauthorized access to a user’s ChatGPT account without needing a password. This could lead to the exposure of private conversations, stored prompts, and other sensitive information shared with the AI service.
Distribution Through Official Channels
The malicious extensions were distributed through the official Chrome Web Store, Google’s curated marketplace for browser add-ons. This distribution method lends an air of legitimacy, making it more likely for users to trust and install the software. The incident raises questions about the effectiveness of automated review processes in detecting sophisticated malicious behavior before public listing.
Security analysts note that such extensions often use generic, desirable functions like ad-blocking or coupon-finding to attract a large user base quickly. Once installed by a significant number of users, the malicious payload is activated or updated remotely to begin its operations.
Recommendations for Users
Cybersecurity experts advise users to exercise caution when installing any browser extension. Recommendations include only installing extensions from well-known, verified developers, carefully reviewing the permissions an extension requests, and regularly auditing installed extensions to remove those that are unused or unfamiliar. Users who suspect they may have installed a malicious extension should run a security scan with reputable antivirus software and change passwords for any sensitive accounts accessed through the browser.
Google has been notified of the malicious extensions identified by researchers. The company typically removes such software from the Chrome Web Store and disables it on users’ browsers through automatic security updates. Users affected by this action will see the extension deactivated and receive a notification from Chrome.
Ongoing Investigation and Response
The full scope of the campaign and the total number of affected users remain under investigation. Researchers are analyzing the infrastructure used by the attackers to receive hijacked affiliate revenue and stolen data. Law enforcement agencies may be notified depending on the scale of the fraud and data theft uncovered.
Moving forward, security firms anticipate continued vigilance will be required as malicious actors refine their techniques to evade storefront detection. Browser developers are expected to enhance their security screening protocols, potentially incorporating more advanced behavioral analysis to identify extensions that abuse their stated permissions. Users worldwide are advised to treat browser extensions with the same level of scrutiny as any other software installed on their devices.
Source: Various cybersecurity research reports
