Ask HN: Help with suspected malware extension with 10M users

14 points by matusfaro ↗ HN
In last two days, my friend had her CC stolen and Instagram taken over which she accessed from her Mac. Although a rootkit is possible, her browser had three extensions: ublock origin, Google Drive, and "WebChatGPT" [1].

Looking into WebChatGPT:

- It has full access to all sites

- Extension was recently sold by owner [2]

- Latest release [3] doesn't match any new commits in the open-source repo [4].

- The last change in the repo removes sponsor link for buy me a coffee

- Someone opened an issue on the repo calling out spyware [5]

What is the best course of action here? Where can we report this? I am going to try to download the extension and follow where the data is sent.

* 1 https://tools.zmo.ai/webchatgpt

* 2 https://www.buymeacoffee.com/anzorq

* 3 https://addons.mozilla.org/en-US/firefox/addon/web-chatgpt/versions/

* 4 https://github.com/interstellard/chatgpt-advanced

* 5 https://github.com/interstellard/chatgpt-advanced/issues/203

9 comments

[ 2.7 ms ] story [ 30.4 ms ] thread
You can add reviews under the chrome and firefox extensions to warn other users and then report both extensions (assuming you are confident about your findings).

More of a meta comment: this is pretty much why I don't install any extensions in my browser except an ad blocker.

You can use this as an opportunity to teach your friend about security so it doesn't happen again.

I'm still trying to setup a vm so I can analyze this extension in a quarantine.
There really need to be some extension store changes. The stores as they exist are not sustainable. Just spitballing:

- No binary or closed source releases, Google/Mozilla compile from a public source.

- More zealous restrictions (which admitedly Google is already heading towards)

- Big fat warnings when accessing cookies or secure fields like passwords or CC. If this makes password managers look scary, good, they should look scary.

> No binary or closed source releases

I suspect it wouldn't be that much trouble to include obfuscated spyware into the sources though. It may make it easier to catch, but it wouldn't prevent mass users from upgrading before it's stopped.

True.

But it would still be a minor deterrent, it would disrupt the common mechanism (buy a popular app, close source it) these acquirers operate with, and it would leave some proof of malice behind.

(comment deleted)
> What is the best course of action here? Where can we report this?

There is a huge button "Report this add-on for abuse" on every single extension page on addons.mozilla.org.

I looked at it a little bit and didn't find anything super obvious about collecting info but it does look like it injects ads for their own services into google search results