from Hacker News

Ask HN: Help with suspected malware extension with 10M users

by matusfaro on 7/15/23, 5:00 AM with 8 comments

In last two days, my friend had her CC stolen and Instagram taken over which she accessed from her Mac. Although a rootkit is possible, her browser had three extensions: ublock origin, Google Drive, and "WebChatGPT" [1].

Looking into WebChatGPT:

- It has full access to all sites

- Extension was recently sold by owner [2]

- Latest release [3] doesn't match any new commits in the open-source repo [4].

- The last change in the repo removes sponsor link for buy me a coffee

- Someone opened an issue on the repo calling out spyware [5]

What is the best course of action here? Where can we report this? I am going to try to download the extension and follow where the data is sent.

* 1 https://tools.zmo.ai/webchatgpt

* 2 https://www.buymeacoffee.com/anzorq

* 3 https://addons.mozilla.org/en-US/firefox/addon/web-chatgpt/versions/

* 4 https://github.com/interstellard/chatgpt-advanced

* 5 https://github.com/interstellard/chatgpt-advanced/issues/203

  • by dinp on 7/15/23, 5:36 AM

    You can add reviews under the chrome and firefox extensions to warn other users and then report both extensions (assuming you are confident about your findings).

    More of a meta comment: this is pretty much why I don't install any extensions in my browser except an ad blocker.

    You can use this as an opportunity to teach your friend about security so it doesn't happen again.

  • by p-e-w on 7/15/23, 6:15 AM

    > What is the best course of action here? Where can we report this?

    There is a huge button "Report this add-on for abuse" on every single extension page on addons.mozilla.org.

  • by matusfaro on 7/15/23, 6:01 AM

    Firefox recently added capability to remotely disable extensions [1]. Although I was also concerned with the feature when I saw it, I can see how that would be useful in exactly this scenario.

    * - https://news.ycombinator.com/item?id=36602193

  • by brucethemoose2 on 7/15/23, 5:46 AM

    There really need to be some extension store changes. The stores as they exist are not sustainable. Just spitballing:

    - No binary or closed source releases, Google/Mozilla compile from a public source.

    - More zealous restrictions (which admitedly Google is already heading towards)

    - Big fat warnings when accessing cookies or secure fields like passwords or CC. If this makes password managers look scary, good, they should look scary.

  • by KomoD on 7/16/23, 4:12 PM

    I looked at it a little bit and didn't find anything super obvious about collecting info but it does look like it injects ads for their own services into google search results