ESET Detects API Key Theft via ChatGPT

Malicious domains referencing ChatGPT, were identified in 2H23, aiming to pilfer legitimate OpenAI Application Programming Interface (API) keys, revealed an ESET report. 

ESET's telemetry recorded over 650,000 attempts to access these deceptive domains. These domains, posing as ChatGPT, aimed to impersonate the authentic site open.ia.com, taking advantage of web searches related to this innovative technology. The identified threats extended to the insecure handling of OpenAI API keys in web applications and the development of malicious Google Chrome extensions specifically designed for ChatGPT. 

"It [i]s not the first time that the popularity of this chatbot has been exploited by cybercriminals to attract OpenAI users: fake ChatGPT sites, malicious browser extensions, and applications distributing trojans for the theft of banking information," said Camilo Gutiérrez, Head, ESET Latin America's Research Laboratory

API keys serve as unique identifiers, authenticating and authorizing users or developers while controlling access and limiting data retrieval. Although some API services are free, OpenAI bills each end user's generated token before being able to incorporate it into a project. In light of ESET's findings, Gutiérrez cautioned developers implementing a 'bring your own key' mode, urging the careful handling of OpenAI API keys due to the risk of leakage or misuse.

For instance, the ChatGPT website at chat.apple000[.] top prompts users to provide their OpenAI API keys, subsequently forwarding them to its server. This application, linked to open-source code on GitHub, has proliferated across over 7,000 servers, risking the potential exposure of keys.

In addition to these web applications, nearly all malicious domain name blocks inspired by ChatGPT observed in ESET's telemetry were associated with Chrome extensions detected as JS/Chromex.Agent.BZ. For instance, the extension gptforchrome[.] com leads to the malicious ChatGPT for Search - Support GPT-4 extension on the Chrome Web Store, ESET Research specialists reported to Google.

ESET recommends avoiding key sharing, the use of password managers, the creation of robust keys with strong encryption, periodic key changes, thorough removal of malicious browser extensions, cautious installation practices, and the use of reliable, multi-layered security solutions capable of detecting fake sites and potentially malicious extensions.