Skip to content

SearchJack 23 Chrome Extensions Silently Monetize ~758,000 U... #2350

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

SearchJack 23 Chrome Extensions Silently Monetize ~758,000 U... #2350

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions ...er-extension-pentesting-methodology/browext-permissions-and-host_permissions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,45 @@ The extension storage is merely a key-value collection, very similar to [localSt

However, advertising companies could also abuse this storage.

### Search provider hijacking with `chrome_settings_overrides`

A **low-permission** extension can still **take over omnibox searches** via **`chrome_settings_overrides.search_provider`**. Chrome allows an extension to define a custom search endpoint containing **`{searchTerms}`**, so a manifest-only extension can silently route every address-bar search through operator-controlled infrastructure:

```json
"chrome_settings_overrides": {
"search_provider": {
"name": "Search",
"keyword": "search.example",
"search_url": "https://search.example/search?q={searchTerms}",
"is_default": true
}
}
```

This is useful for **search affiliate hijacking** because the extension might need **no content scripts**, **no background logic**, and **no extra API permissions** while still gaining access to a very sensitive data stream: user search intent.

### Auditing search-override abuse

When reviewing a browser extension, check whether the advertised feature matches the search override:

- Search for **`chrome_settings_overrides`**, **`search_provider`**, **`search_url`**, and **`is_default`** in `manifest.json`.
- Flag **manifest-only shells** whose main behavior is changing the default search provider.
- Compare the **extension branding** with the **search endpoint domain**. Utility/new-tab/map/video extensions pointing searches to unrelated domains are suspicious.
- Inspect whether the redirect chain lands in **affiliate search networks**. Parameters such as **`hspart`** and **`hsimp`** are useful to attribute the broker/campaign behind Yahoo Hosted Search style monetization.
- Cluster disposable extensions by repeated backend templates such as identical query parameters, shared paths like **`/admin/public/link`** or **`serp.php`**, and reused search domains.
- Compare **store claims** and **privacy policies**. False claims such as “we do not track searches” are strong indicators when the extension clearly proxies queries.

### Runtime redirect rules can hide the real routing

Static package review may still miss the real search flow. An extension can ship benign-looking static rules and then install the real redirect logic at runtime via **`chrome.declarativeNetRequest.updateDynamicRules()`**.

Practical checks:

- Inspect the **service worker/background script** for `updateDynamicRules()`.
- In an instrumented browser, dump live rules with **`chrome.declarativeNetRequest.getDynamicRules()`** from the extension context.
- Capture **network traffic** while performing omnibox searches and follow the **full redirect chain** until the final search provider.
- Treat decoy static files such as `redirect-rules.json` as insufficient evidence of benign behavior unless runtime rules and live traffic match.

### More permissions

Manifest V3 split page access from API permissions: **`permissions`** still governs privileged APIs (cookies, tabs, history, scripting, etc.) while **`host_permissions`** controls which origins those APIs can touch. MV3 also made host permissions **runtime‑grantable**, so extensions can ship with none and pop a consent prompt later via `chrome.permissions.request()`—handy for legit least‑privilege flows, but also abused by malware to escalate after reputation is established.
Expand Down Expand Up @@ -156,6 +195,9 @@ However, tightening security measures often results in decreased flexibility and
- [https://www.cobalt.io/blog/introduction-to-chrome-browser-extension-security-testing](https://www.cobalt.io/blog/introduction-to-chrome-browser-extension-security-testing)
- [https://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/malicious-browser-extensions-feb-2025/](https://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/malicious-browser-extensions-feb-2025/)
- [https://developer.chrome.com/blog/resuming-the-transition-to-mv3/](https://developer.chrome.com/blog/resuming-the-transition-to-mv3/)
- [https://malext.io/reports/SearchJack/](https://malext.io/reports/SearchJack/)
- [https://developer.chrome.com/docs/extensions/reference/manifest/chrome-settings-override](https://developer.chrome.com/docs/extensions/reference/manifest/chrome-settings-override)
- [https://developer.chrome.com/docs/extensions/reference/api/declarativeNetRequest](https://developer.chrome.com/docs/extensions/reference/api/declarativeNetRequest)

{{#include ../../banners/hacktricks-training.md}}

Expand Down