Fake GPT Chrome extension steals Facebook session cookies, breaks into accounts

Fake GPT Chrome extension steals Facebook session cookies, breaks into accounts

The world has gone ChatGPT bonkers.

Just about everyone is talking about it, and if you’re not talking about it then that’s because you’re too busy getting ChatGPT to complete your homework, or compose the perfect email to your boss explaining why you deserve a payrise.

There’s a danger though. Because of this hubbub about the extraordinary AI chatbot is inevitably going to pique the interest of this who haven’t yet had a chance to try it out. And those folks may want an easy-peasy way to dip their toe into the dystopian artifical intelligence hellhole that appears to be right around the corner.

Sign up to our free newsletter.
Security news, advice, and tips.

So, if you don’t know how to access ChatGPT, what do you do?

Well, you might use your trusty search engine to find out how to access ChatGPT.

And that’s the first risk. Because cybercriminals have poisoned Google search results with malicious webpages and sponsored ads that point to fake browser extensions that claim to give you instant, user-friendly access to ChatGPT but are actually a cover for doing something much more malicious instead.

As security researchers at Guardio Labs describe, scammers managed to plant a scam browser extension into the official Chrome store that claimed to be for “Chat GPT 4.”

Chat gpt for google extension

And the malicious extension steals your computer’s Facebook-related cookies and silently squirrels them away to the hacker, who can then seize control of your business’s Facebook page.

Once they’ve gained access to your company’s Facebook account, passwords can be changed (locking out the genuine owner), and the official Facebook page of your business hijacked to spread disinformation, scams, spam… effectively whatever the hacker wants.

Google says it has now removed the extension from its Chrome Web Store, as well as the malicious ads in its search results. However, it wouldn’t be a surprise if similar attempts were made to exploit the interest in ChatGPT sooner rather than later.

Don’t forget – browser extensions and add-ons have an enormous amount of power. If you install a rogue extension, everything you do in your browser could be compromised.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

One comment on “Fake GPT Chrome extension steals Facebook session cookies, breaks into accounts”

  1. Marc

    Can't disagree with the malicious extensions and taking advantage of the momentum and hype but.. "As security researchers at Guardio Labs describe, scammers managed to plant a scam browser extension into the official Chrome store that claimed to be for “Chat GPT 4.”

    I think somebody just searched for Chat GPT4 Google" and grabbed a screenshot. This extension is still there, with many reviews and seems legit. That extension is not the one specifically mentioned.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.