ChatGPT users beware: your browser extensions could be used to steal your accounts and identity.

LayerX Research has identified at least 16 Chrome browser extensions for ChatGPT floating around the internet that promise to enhance work productivity. All show signs of being built by the same threat actor and designed for the same purpose: to pilfer account credentials.

According to security researcher Natalie Zargarov, as legitimate AI browser extensions have become more widely used, “many of these extensions mimic known brands to gain users’ trust, particularly those designed to enhance interaction with large language models.”

“As these extensions increasingly require deep integration with authenticated web applications, they introduce a materially expanded browser attack surface,” Zargarov wrote.

That’s what the threat actor appears to have done in this case. The malicious extensions do not deploy malware or attack the model directly, they instead exploit vulnerabilities in the web-based authentication process used to verify ChatGPT users.

In order to work, many of these tools need access to authenticated AI sessions and high-level execution privileges within the browser itself. That combination of “high privilege, user trust and rapid adoption” makes them attractive targets to compromise for threat actors.

All but one of the extensions compromised their victims in the same way. A script injected into chatgpt.com monitors outbound requests coming from the ChatGPT web application. When a request goes out containing authorization details and the user’s session token data, the malicious extension extracts the information to a remote server.

With the user’s token in hand, the attackers can use them to authenticate ChatGPT sessions under the victim’s identity, access chat histories and applications that connect ChatGPT to other sensitive data sources, like Slack and GitHub.

Beyond token theft, the browser extensions also send metadata, usage telemetry and backend-issued access tokens used by the extension service to a third-party server.

The browsers share similar codebases used across different identities, consistent publisher characteristics across multiple listings and “highly similar icons, branding and descriptions.” In addition to their overlapping advertised functionality for enhancing productivity, they also displayed overlapping behaviors such as uploading batches of extensions on the same day, synchronized updates to several extensions at once, share backend infrastructure and web domains.

According to Zagarov’s blog, all 16 of the malicious extensions remain available on the Chrome Web Store today. CyberScoop has reached out to Google, which manages the Chrome browser, for comment.

All told, downloads have been low: about 900 total across the 16 browser extensions LayerX identified. Zagarov notes this is “a drop in the bucket” compared to other major browser extension campaigns like GhostPoster, which was downloaded more than 830,000 times and the Roly Poly VPN extension, which had over 31,000 documented installations.

But Zagarov said given the increasing popularity of AI browser extensions and the evidence that other actors are targeting the same weaknesses, time is not on defenders’  side.

“It just takes one iteration for a malicious extension to become popular,” Zargarov wrote. “We believe that GPT optimizers will soon become as popular as (not more than) VPN extensions, which is why we prioritized the publication of this analysis. Our goal is to shut it down BEFORE it hits critical mass.”

The post Some ChatGPT browser extensions are stealing your data appeared first on CyberScoop.

An independent forensic investigation is underway to determine the extent of the intrusion into customer management software Gainsight’s systems and whether the breach has spread beyond Salesforce to other third-party applications. Despite this ongoing analysis, the company maintains that the impact on customer data stored within connected services is limited and largely contained.

“While Salesforce has identified compromised customer tokens, we presently know of only a handful of customers who had their data affected,” Gainsight CEO Chuck Ganapathi wrote in a blog post Tuesday. “Salesforce has notified the affected customers and we have reached out to each of them to provide support and are working directly with them.”

Details about the attack are scattered, and discrepancies remain about the number of companies impacted and the extent to which they are compromised. Information is fragmented, in part, because Gainsight and Salesforce are sharing updates independent of each other and respective to their own systems.

Gainsight is relying on Salesforce and Mandiant, its incident response firm, to identify victims of the attack and provide detailed indicators of compromise. 

Salesforce identified three impacted customers in the immediate aftermath of the attack, and has since found more confirmed victims, Gainsight said in an update on its community page. Neither company has provided a specific number of known victims.

“There is a distinction between the number of customers who Salesforce identified as having compromised tokens and the handful of customers we presently know had their data affected,” a company spokesperson told CyberScoop Tuesday.

Google Threat Intelligence Group, which is affiliated with Mandiant under Google Cloud’s security apparatus, said it was aware of more than 200 Salesforce instances potentially affected by the Gainsight breach last week. Google hasn’t provided an updated figure since then.

Inconsistencies are common in supply-chain attacks that flow downstream.

Meanwhile, Mandiant is continuing to sift through logs and analyze token behavior and connector activity to provide Gainsight with a more complete view of what occurred and how far attackers were able to use Gainsight customers’ access tokens to breach additional systems.

Gainsight previously said Hubspot, Zendesk and revenue intelligence platform Gong.io also temporarily revoked Gainsight customers’ access tokens “out of an abundance of caution.” The company hasn’t reported any confirmed impact on other systems and Salesforce maintains that the issue did not involve a vulnerability in the Salesforce platform.

The breach and its root cause is strikingly similar to an expansive downstream attack spree that impacted more than 700 customers who integrated Salesloft Drift into Salesforce two months ago. 

While Gainsight and Salesforce are both communicating directly with customers, publicly available threat hunting guidance and information about the attacks exist in multiple places.

Salesforce has shared the most comprehensive IOCs, including dates and observed activities for each malicious IP address. The earliest malicious activity linked to the campaign occurred Oct. 23, according to Salesforce.

The company advised customers to review all available logs for potential compromise and noted that the revocation of Gainsight OAuth tokens does not delete a customers’ logs or hinder their ability to investigate the incident.

Gainsight, however, said its logs are of less use. “Based on the nature of the logs we retain, many of our clients have not found them to be material in assessing any risk to their organization,” Brent Krempges, chief customer officer at Gainsight, said on its community page. 

“We strongly recommend that you focus your investigation on the Salesforce logs that show authentication attempts and API calls originating from the Gainsight Connected App,” he added. “These Salesforce-side logs are the authoritative source of information for identifying any anomalous access patterns.”

Gainsight also recommended that customers configure IP restrictions for API calls to ensure only legitimate requests are allowed. This security control is manual and requires cooperation from every vendor in the supply chain. Okta said IP restrictions kept its Drift integrations secure and successfully blocked an attempted attack on its Salesforce environment during the widespread incidents in August.

Ganapathi, who was named CEO in August, acknowledged that Gainsight is critical to its customers’ daily operations and said the company is personally responsible for ensuring access to its products. The company is helping customers manage their Gainsight Customer Success (CS) instances while its Salesforce connected app is offline, he said. 

“The only way we beat these threats is by working together and sharing information and strategies,” Ganapathi said. “That is why I am committing to sharing what we learn from this experience to help everyone in the SaaS community strengthen their defenses and, we hope, avoid going through something similar themselves.”

The post Gainsight CEO downplays impact of attack that spread to Salesforce environments appeared first on CyberScoop.