A recent report from cybersecurity firm Guardio has revealed that a malicious Chrome extension called “Quick access to Chat GPT” has been stealing Facebook accounts and propagating itself in a “worm-like manner”. The extension has been harvesting all cookies stored on users’ browsers, including security and session tokens for services such as YouTube, Google accounts, and Twitter.

The extension’s advertised feature was its ability to provide users with a quick way to use the popular ChatGPT bot directly from their browser. The developers even linked users with a legitimate ChatGPT application programming interface (API). However, researchers found that the extension was also gathering all the information it could from users’ browsers and using tailored tactics to take over their Facebook accounts.

Attack operators have paid special attention to users with high-profile Facebook business accounts, taking over those accounts to allow their self-replicating bot army to promote itself with ads paid for using the victim’s business account funds.

The attack is sophisticated, with the extension appearing to provide users with what it advertises. A popup window appears in the browser, allowing users to prompt ChatGPT as promised. However, once installed, the extension becomes an integral part of the user’s browser and can send requests to any other service as if the browser owner was initiating them.

Using this technique, attackers can access Meta’s Graph API, allowing them to view user details and act on the victim’s behalf on their Facebook account via API calls. Attackers have even found a way to bypass Facebook’s protective measures by renaming the requests to the server.

If the attackers wanted to keep a Facebook account for themselves, they would instruct the extension to develop a malicious application for the platform, granting them full admin mode. The attackers could then have full control over the victim’s Facebook profile and activity, as well as admin powers on all their groups, pages, businesses, and advertisement accounts. They could even manage the victim’s connected WhatsApp and Instagram accounts.

“Quick access to Chat GPT” was first introduced into the Chrome store on March 3 and has been installed over 2,000 times. Following Guardio’s report, Google has removed the malicious extension from Chrome’s store. It is a reminder that users should be cautious when installing browser extensions and only download them from reputable sources to protect their online security and privacy.