What's Happening?
Two Chrome extensions, impersonating a legitimate AITOPIA extension, have been identified as malicious, exfiltrating browser data and user conversations with AI models like ChatGPT and DeepSeek. According
to OX Security, these extensions, named 'Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI' and 'AI Sidebar with Deepseek, ChatGPT, Claude and more', amassed over 900,000 downloads before being removed from the Chrome web store. The extensions exploited the AI-powered web development platform Lovable to host infrastructure components and anonymize their activities. They deceptively requested user consent to collect 'anonymous, non-identifiable analytics data' but instead harvested complete user conversations and browser data, including URLs, search queries, and authentication data. This breach potentially exposed sensitive corporate information, including internal domains, source code, and business strategies.
Why It's Important?
The exposure of sensitive data through these malicious extensions poses significant risks to corporate security and individual privacy. Organizations whose employees used these extensions may have inadvertently leaked intellectual property, customer data, and confidential business information. Such data can be weaponized for corporate espionage, identity theft, and targeted phishing campaigns, or sold on underground forums. This incident underscores the vulnerabilities associated with third-party browser extensions and the need for stringent security measures to protect against unauthorized data access. The widespread use of AI models in business operations amplifies the potential impact of such breaches, highlighting the importance of robust cybersecurity practices.
What's Next?
Users are advised to immediately remove the malicious extensions from their Chrome browsers to mitigate further data exposure. Organizations may need to conduct internal audits to assess the extent of the data breach and implement additional security protocols to prevent future incidents. This situation may prompt browser developers and cybersecurity firms to enhance monitoring and verification processes for extensions, ensuring that only secure and legitimate applications are available to users. Additionally, there may be increased calls for regulatory oversight on data collection practices by browser extensions to protect user privacy and corporate data integrity.
