These ‘Ad Blocker’ extensions silently steal ChatGPT logins and revenue from Amazon affiliates

Cybersecurity researchers have done that discovers several malicious Google Chrome extensions that hijack Amazon affiliate links, steal data, and collect ChatGPT authentication tokens.

In late January, Socket researcher Kush Pandya discovered that a Chrome Web Store extension called Amazon Ads Blocker (extension ID: pnpchphmplpdimbllknjoiopmfphellj) do blocks ads, but also hides its primary function: automatically injecting the developer’s affiliate tag (10xprofit-20) into every Amazon product link and replacing existing affiliate codes. Content creators who share Amazon product links with their own affiliate tags lose commission when users with add-ons installed click on those links.

Pandya’s team identified that Amazon Ads Blocker is part of a coordinated cluster of 29 browser extensions targeting e-commerce platforms such as AliExpress, Amazon, Best Buy, Shein, Shopify, and Walmart. Extensions scan all product URLs for affiliate tags without requiring user interaction and replace them with the attacker’s code. If there are no tags, the extensions simply add the attacker’s ID. The extensions also scrape product data and exfiltrate it to app.10xprofit[.]io. This violates Chrome Web Store policies that require extensions to use affiliate links to accurately release functionality, require user action before each injection, and never replace existing affiliate codes.

Researchers from the AI ​​and web security company LayerX separately identified 16 malicious extensions (15 in Chrome, one in Edge) that intercept ChatGPT session authentication tokens by injecting content scripts into ChatGPT.com. When you log into ChatGPT in your browser, your session remains active using a hidden token. These extensions inject their own code into ChatGPT so they can see how traffic is coming in and out. This token allows an attacker to access your ChatGPT account, view your chats, and use your profile without your password or two-factor authentication.

Meanwhile, Symantec is owned by Broadcom marked four extensions with more than 100,000 combined users that steal data, including Good Tab, Children Protection, DPS Websafe and Stock Informer.