Malicious Chrome extensions masquerade as ChatGPT to steal data: An avoidable supply chain attack

Malicious Chrome extensions masquerade as ChatGPT to steal data: An avoidable supply chain attack

"ChatGPT for Google Sheets" showed up on the Chrome Web Store and most people thought: finally, AI in spreadsheets. Thousands of installs, a 4.2-star rating, a polished developer page — everything looked right. So when security researchers raised the alarm, many users were still asking: really? Is this actually malicious?

It is. According to the PromptArmor security team, this extension quietly steals spreadsheet data — workbook content, formulas, potentially sensitive business information. It doesn't actually integrate ChatGPT. Instead, it contains a data-exfiltration mechanism that sends whatever Google Sheets content you open straight to an attacker-controlled server.

This isn't an isolated case. Chrome extension security problems are old news, yet every time something like it happens, thousands of users get caught. Why? And what should we actually take away from this?


1. Event/Technical Background

In 2024, security researchers discovered an extension called "ChatGPT for Google Sheets" in the Chrome Web Store, labeled " productivity tool", claiming to add AI capabilities to Google Sheets. As of the time it was discovered, the extension had been installed more than 10,000 times, and the score remained above 4 points.

This is not a complex APT attack, but a typical combination of social engineering + supply chain attack. The attacker's strategy is simple: take advantage of users 'pursuit of AI tools, release an extension that looks completely reasonable and meets real needs, and then secretly do bad things in the background.

After analyzing the code of the extension, the PromptArmor team found that its core function did not provide ChatGPT integration at all, but embedded a piece of data-passing code. When a user opens any Google Sheets in a browser, the extension automatically reads the workbook contents and sends the data to an external server with an encrypted request. The code logic even considers circumvention detection-data transmission occurs silently in the background, and the user interface does not contain any abnormal prompts at all.

It is worth noting that the attacker also equipped the extension with a complete "cover": a serious Chrome Store page, a professional-looking privacy policy, and even a fake support email. These details allow ordinary users to have little doubt when installing.


2. Analysis of core technology principles

Here's how the malicious extension works, based on the security researchers' analysis.

  1. Camouflage stage: The expansion uses "AI-enabled Google Sheets" as a selling point, taking advantage of the current AI craze to reduce user vigilance. Positive words such as "intelligent","efficient" and "automated" are used extensively in the functional description, and no risk warnings are mentioned at all.

  2. Installation trigger: After a user installs an extension from the Chrome Web Store, the extension requests permission to "read data from all websites you visit"-this permission request itself is worthy of vigilance, but many users will directly click "OK."

  3. Data collection: When users visit sheets.google.com, the extension's built-in content script is automatically activated. It scans and extracts the contents of the currently open spreadsheet, including cell data, table names, worksheet structure, and even formulas and comments that may contain.

  4. Outreach mechanism: The collected data is compressed and encrypted, and sent to the server controlled by the attacker via an HTTPS request. Requests masquerade as normal API calls and are difficult to identify by corporate firewalls or simple monitoring.

  5. Persistence: The extension performs data collection every time a user opens Google Sheets, resulting in a continuous data leak.

Analysis of key technical points:

  • Content script-based injection: This extension uses Chrome's Content Script mechanism to automatically execute code when users access specific domain names, eliminating the need for manual user action. This architecture allows attacks to proceed completely silently.

  • Permission abuse: The "Read all website data" permission of extended requests far exceeds what is required for their functions. This should have been an obvious red flag, but most users will not carefully review permission requests.

  • Code obfuscation: The core logic of data dissemination has been obfuscated, making security analysis more difficult. Variable names are replaced with meaningless strings, and control flow is refactored, making static analysis difficult.

  • Target domain name detection: The code includes detection of specific URL patterns, and data collection is triggered only when users access Google Sheets, reducing the possibility of detection.


3. Why is this important?

You may say: Isn't it just stealing some table data? It's not a nuclear bomb code.

But let me tell you why this deserves to be taken seriously.

Spreadsheets often hold the most sensitive data a company has — financials, customer lists, salaries, project budgets, strategic plans. A company's Google Sheets can piece together a nearly complete picture of its operations. Mix in customer data, pricing strategies, and financial forecasts, and the value of what's being stolen is far higher than most people assume.

Chrome's extension trust model has been systematically exploited. We install extensions assuming the Chrome Web Store has basic review mechanisms in place. But the store's review capabilities lag far behind the speed at which malicious actors operate. A well-packaged malicious extension can go undetected for weeks or months, quietly collecting user data the entire time.

This is also a targeted attack on trust in AI tools. The AI boom means users have little resistance to "AI + productivity" combinations. Attackers are deliberately exploiting this by wrapping malicious code in the hottest AI branding. That's not coincidence — it's a calculated strategy.

And small businesses are the biggest victims. Large companies have security teams, device management policies, and employee training. But a small team sharing a Google Workspace account, managing everything through online documents, and installing tools casually? A malicious extension in that environment is a disaster.


4. Industry impact and data support

a look at the industry data behind this incident.

Chrome Extension Security Status:

According to a study released in 2020 by Independent Security Evaluators (Source: ISE Report: Security Analysis of Chrome Extensions), about 10% of the 283 randomly sampled Chrome extensions they analyzed had security vulnerabilities or suspicious behavior. Although not all suspicious behavior is malicious, this ratio is sufficient.

Google Transparency Report shows (Source: Google Transparency Report - Chrome Web Store) that Google removed approximately 2 million offending extensions from the Chrome Web Store in 2022. But at the same time, the total number of extensions to the Chrome Web Store is also growing, and the absolute number of malicious extensions may not have dropped significantly.

Perceptions of scale of data breaches:

According to Verizon's 2023 Data Breach Investigation Report (DBIR, source: Verizon DBIR 2023), phishing and social engineering attacks remain the most important attack vectors, accounting for approximately 36% of all data breaches. Among them, attacks through malware or malicious tools accounted for approximately 17%.

Symantec's Threat Intelligence Report (source: Symantec Internet Security Threat Report) points out that browser extensions have become an important entry point for attackers because users are often not vigilant about extended rights requests.

New risks brought by the AI tool boom:

According to Statista data (source: Statista - AI Software Market), the global AI software market will be approximately US$240 billion in 2023 and is expected to exceed US$300 billion in 2024. Under the temptation of the huge market, there is not only fierce competition from regular manufacturers, but also the covetousness of attackers. Any product that can hit AI hotspots will be more likely to gain user trust-this is a hotbed for the proliferation of malicious extensions.


5. Actual implementation cases

Case 1: A technology startup's data leak nightmare

In early 2024, a Shenzhen-based AI application startup (alias "Star Technology") suffered a data breach. The co-founders recall that the team used Google Sheets in several collaboration scenarios to improve efficiency: customer requirements documents were managed in tables, financing progress was tracked in tables, and even some technical architecture selection discussions were held in tables.

"We have a form that records the contact information and follow-up status of all potential customers. There are about 300 items. "The founder said," It was later discovered that the data appeared on competitors 'marketing lists. "

Post investigation found that a product manager on the team installed the "ChatGPT for Google Sheets" extension three months ago because he saw a recommendation from his peers and felt that "it should improve efficiency." He didn't even realize that he had installed an extension with abnormal permissions.

The immediate consequence of this leak was that two Series A investment opportunities under negotiation fell through because investors were worried that their customer data was no longer "clean" enough. What's more, it took the company two months to re-establish customer trust, losing about 15% of its active customers during this period.

Case 2: Independent developers are implanted into backdoors

Another case comes from a freelance developer (pseudonym "Forest Worker"). He specializes in outsourcing projects and uses Google Sheets to manage his project progress, quote templates and customer information.

"I have a form called 'Project Ammunition Depot', which stores the quotation ranges, working hours statistics, and common demand templates for all my historical projects. "The forester said," This is the guy I eat from. "

About two weeks after installing the malicious extension, the forester found that his quotation template seemed to have been "referenced"-almost identical quotation structures and speaking skills appeared in his competitors 'proposals. What's even more ironic is that he later discovered that the proposal quoted by the other party was 20% lower than his, directly stealing the two projects he was following up on.

"I still don't know which link went wrong. "The forester said," But now all my sensitive documents are password protected, and I don't dare to run naked anymore. "

What these two cases have in common is that the victims were not people with weak safety awareness, but both lowered their vigilance at some point because of the temptation of "efficiency" and "convenience." This is the scary thing about malicious expansion-it does not rely on breaking through your defenses, but by getting you to take the initiative to open the door.


6. Comparison with competing products/alternatives

Faced with the need to "add AI functions to Google Sheets," there are actually a variety of legal solutions to choose from on the market. Here is a comparison of several mainstream options:

programme core advantages main disadvantage price applicable scenarios
Official ChatGPT for Sheets plug-in (OpenAI official) Officially produced by OpenAI, data security is guaranteed, and GPT-4 is supported Requires an OpenAI API key and has a call cost API Pay-Per-Volume Enterprise AI integration with security compliance requirements
Microsoft Copilot in Sheets Deep integration with Google Sheets to support natural language queries The functions are relatively basic and the AI capabilities are limited Included in Microsoft 365 subscriptions Enterprises that have used the Microsoft 365 ecosystem
SheetGo Automate workflow to support cross-table data integration Non-AI tools cannot provide intelligent analysis Free version has limitations, professional version starts at $9/month Users who need form automation but do not need AI
Zapier + AI integration Rich ecology and can connect hundreds of applications Complex set-up and requires maintenance of workflow Free version has limitations, starting from professional version at $19.99/month Teams that need cross-platform automation
Rows + AI Emerging spreadsheets with built-in AI capabilities Migration costs are high and functions are still being improved Free version is available, Professional version is available for $12/month Users who like early adopters and need native AI integration

Proposal selection:

If you really need to use AI functions in Google Sheets, your first choice should be the official "ChatGPT for Google Sheets" plug-in launched by OpenAI, or wait for Google's official Bard integration. Although these solutions may not have as fancy functions as third-party extensions, at least after security review, data will not inexplicably run to other people's servers.

For enterprise users, it is recommended to centrally manage extended installation rights through the Google Workspace Administrator Console, rather than allowing employees to install unapproved tools from the Chrome Web Store.

For individual users, my advice is: Any productivity tool that requires "read all website data" permission should ask itself one question first-is this permission really necessary?


7. Technical challenges and limitations

To be honest, the security issues of Chrome extensions are difficult to fundamentally solve. This is not a question of technical capabilities, but a question of design philosophy for the entire ecology.

Limitations of the sandbox mechanism: Although Chrome's content scripts run in an isolated sandbox environment, its ability to interact with the web DOM is itself a double-edged sword. A legitimate extension requires reading page content to enhance functionality, and the same ability can also be abused to steal data. Security boundaries are blurred here.

The user-friendliness dilemma of the permissions model: Chrome's permissions system attempts to strike a balance between security and ease of use, but the result is often that neither side is pleasing. The permission expression "read all website data" is too vague and most users cannot understand its actual meaning. Google tried to tighten permissions review in 2019, requiring extensions to explain why each permission is needed, but the effect is limited-attackers can always find reasonable feature descriptions to wrap malicious behavior.

Technical bottleneck in automated auditing: Faced with tens of thousands of extensions, Google's automated auditing system has difficulty detecting carefully crafted malicious code. An extension can be fully compliant when submitted for review and activate malicious features only after it is launched-this "Trojan"-style strategy makes an audit mechanism based on code analysis useless.

Systematic lack of user security awareness: In the final analysis, the security of Chrome's extended ecosystem ultimately depends on each user's judgment. But the reality is that most users have neither a technical background nor security awareness, let alone the time to carefully review the permission requests and behavioral logic of each extension. This is not the user's fault, it is a problem with the entire system design.


8. Who should pay attention to this matter

Enterprise IT Administrator:

If you are in charge of your company's IT and security strategy, this is a wake-up call. You need to immediately review Chrome extensions that employees have installed, especially those with "Read all website data" permissions. At the same time, it is recommended to set up an extension whitelisting mechanism through the Google Workspace Administrator Console to allow only approved extension installations.

Developer Group:

As a developer, you may feel that you will not be deceived by this low-level attack. But don't forget that the npm package, pip package, and even IDE extensions in the development environment that your project relies on can become attack vectors. Being vigilant is not only about protecting yourself, but also about protecting your users.

Product Manager:

If you are making an "AI+ productivity" product, this reminds you that user trust is fragile. Any security incident will severely damage the development of the entire category. Security should be a core attribute of the product, not an after-the-fact patch.

Ordinary users:

You may not be the direct target of any security incident, but your data may be more valuable than you think. A seemingly innocuous form may contain trade secrets about your company, personal information about your customers, or personal financial data about you. Take an extra 30 seconds to see what permissions the extension requires before clicking "Install"-those 30 seconds could be worth millions.

Security researchers:

Incidents like this once again demonstrate the importance of threat intelligence sharing and security community collaboration. If you find a similar suspicious extension, I hope you can disclose it responsibly like Prompt Armor, rather than exploit it privately.


9. Prediction of future trends

AI tools will remain a hotspot for attacks. The AI hype isn't fading. More "AI for X" tools will appear, and attackers will keep riding that wave. In the short term, these attacks will only increase.

Extension security reviews will tighten — but not fundamentally change. Google faces a dilemma: over-tightening kills legitimate extensions and ecosystem vitality; under-tightening lets malicious ones through. Expect more security investment, but a real solution requires a new industry-wide trust model.

Enterprise extension management tools will grow. As companies depend more on SaaS and browser tools, dedicated extension security and monitoring will gain market share. Vendors like SentinelOne and CrowdStrike may launch browser extension protection products.

Open source and community verification will become trust signals. When official reviews fail, users turn to the community. Is the extension open source? Actively maintained? Audited by security researchers? These signals matter more every day.

Zero-trust thinking will reach individual users. Enterprise zero-trust is mature; personal zero-trust is still early. But as data breach awareness accumulates, regular users will slowly adopt more cautious habits.


X. Recommendations for action

Two things to do right now:

Review your Chrome extensions. Open chrome://extensions/ and remove anything you can't remember installing, especially extensions requesting "Read all website data" permission. If you're not sure whether an extension is safe, disable it and only enable it when you actually need it.

Use official channels for AI + Sheets. OpenAI's official ChatGPT for Sheets add-on, Microsoft Copilot, or Google's own Bard integration — all have at least basic security reviews. Transparent, paid tools from known sources are safer than free ones from unknown developers.

Security isn't free, but a data breach always costs more than you expect.