Help with suspected malware extension with 10M users

Question

In last two days, my friend had her CC stolen and Instagram taken over which she accessed from her Mac. Although a rootkit is possible, her browser had three extensions: ublock origin, Google Drive, and "WebChatGPT" [1].Looking into WebChatGPT:- It has full access to all sites- Extension was recently sold by owner [2]- Latest release [3] doesn't match any new commits in the open-source repo [4].- The last change in the repo removes sponsor link for buy me a coffee- Someone opened an issue on the repo calling out spyware [5]What is the best course of action here? Where can we report this? I am going to try to download the extension and follow where the data is sent.* 1 https://tools.zmo.ai/webchatgpt* 2 https://www.buymeacoffee.com/anzorq* 3 https://addons.mozilla.org/en-US/firefox/addon/web-chatgpt/versions/* 4 https://github.com/interstellard/chatgpt-advanced* 5 https://github.com/interstellard/chatgpt-advanced/issues/203

dinp · Accepted Answer

You can add reviews under the chrome and firefox extensions to warn other users and then report both extensions (assuming you are confident about your findings).
More of a meta comment: this is pretty much why I don't install any extensions in my browser except an ad blocker.
You can use this as an opportunity to teach your friend about security so it doesn't happen again.

p-e-w · Answer

> What is the best course of action here? Where can we report this?There is a huge button "Report this add-on for abuse" on every single extension page on addons.mozilla.org.

matusfaro · Answer

Firefox recently added capability to remotely disable extensions [1]. Although I was also concerned with the feature when I saw it, I can see how that would be useful in exactly this scenario.* - https://news.ycombinator.com/item?id=36602193

brucethemoose2 · Answer

There really need to be some extension store changes. The stores as they exist are not sustainable. Just spitballing:
- No binary or closed source releases, Google/Mozilla compile from a public source.
- More zealous restrictions (which admitedly Google is already heading towards)
- Big fat warnings when accessing cookies or secure fields like passwords or CC. If this makes password managers look scary, good, they should look scary.

KomoD · Answer

I looked at it a little bit and didn't find anything super obvious about collecting info but it does look like it injects ads for their own services into google search results

Help with suspected malware extension with 10M users

> What is the best course of action here? Where can we report this?
There is a huge button "Report this add-on for abuse" on every single extension page on addons.mozilla.org.

Firefox recently added capability to remotely disable extensions [1]. Although I was also concerned with the feature when I saw it, I can see how that would be useful in exactly this scenario.
* - https://news.ycombinator.com/item?id=36602193

I looked at it a little bit and didn't find anything super obvious about collecting info but it does look like it injects ads for their own services into google search results