Affiliate Hijackers and AI Token Thieves: The Dark Side of Chrome Extensions Exposed

It starts with a promise: a smooth, ad-free shopping experience or new powers for your favorite AI chatbot. But behind the glossy Chrome Web Store listings, a shadowy network of browser extensions is siphoning off affiliate revenue, scraping personal data, and even stealing access to ChatGPT accounts - often without users’ knowledge or consent.

The Affiliate Link Heist: Invisible Profits, Real Losses

Investigators from Socket and Symantec have uncovered a sprawling network of Chrome extensions whose true business is far more sinister than their advertised features. Take “Amazon Ads Blocker”: while it does block sponsored content on Amazon, its main function is to surreptitiously replace any affiliate tag in Amazon product links with its own. Content creators who rely on affiliate commissions are left empty-handed, as their tags are silently swapped out when users with the extension installed click their links.

The impact isn’t limited to Amazon. Other extensions in the cluster target AliExpress, Best Buy, Shein, Shopify, and Walmart, embedding attacker-controlled affiliate codes or faking “LIMITED TIME DEAL” countdowns to pressure users into purchases. All the while, harvested data is quietly shipped off to servers controlled by the perpetrators.

Deceit by Design: Violating Trust and Policy

These add-ons often mislead users with vague or false disclosures - claiming modest commissions or coupon deals, when in reality they are injecting affiliate tags automatically and without permission. This violates Chrome Web Store policies, which demand transparency, honest disclosure, and user-initiated actions for affiliate injections. By combining unrelated features (such as ad blocking and affiliate injection), these extensions also breach Google’s “single purpose” policy.

AI Credentials in the Crosshairs

Even more alarming is the emergence of extensions targeting OpenAI’s ChatGPT. A network of 16 “ChatGPT Mods” extensions was discovered injecting scripts into chatgpt.com, harvesting authentication tokens that grant attackers full access to users’ conversations and account data. With AI tools increasingly embedded in business workflows, the risk is no longer hypothetical: attackers can impersonate users, steal intellectual property, and compromise sensitive discussions - all through a browser add-on.

The Professionalization of Browser-Based Crime

The threat landscape is evolving rapidly. Tools like “Stanley,” sold on Russian cybercrime forums, allow even low-skilled criminals to generate malicious Chrome extensions that can slip past Google’s vetting for thousands of dollars. These extensions can overlay phishing pages on top of legitimate banking or SaaS sites, making it nearly impossible for users to spot the ruse - even as the browser’s URL bar remains unchanged.

As home and remote work drive reliance on browsers, attackers are adapting, exploiting the high-trust environment of browser extensions to launch increasingly sophisticated attacks. The message from researchers is clear: even extensions from official stores can be wolves in sheep’s clothing, and users must remain vigilant.

Looking Forward: A Call for Caution

Browser extensions can empower, but they can also betray. With attackers leveraging both technical trickery and social engineering, the line between helpful tool and dangerous threat has never been thinner. As the Chrome Web Store struggles to keep pace, only an informed, cautious user base stands between ordinary browsing and extraordinary risk.

WIKICROOK

• Affiliate Link: An affiliate link is a unique URL with a tracking code, enabling marketers to earn commissions for referred sales or actions, often used in online marketing.
• Authentication Token: An authentication token is a digital key that verifies your identity to apps or services, allowing secure access without re-entering your password.
• Content Script: A content script is code injected by browser extensions into web pages, enabling them to view or modify page content as you browse.
• Malware: Il malware è un software dannoso progettato per infiltrarsi, danneggiare o rubare dati da dispositivi informatici senza il consenso dell’utente.
• Phishing Page: A phishing page is a fake website made to look real, tricking users into sharing sensitive data like passwords, credit card numbers, or personal details.