The campaign, tracked as SearchJack, shows how ordinary-looking browser tools can turn search traffic into affiliate revenue while giving users little practical visibility into who handles their queries. The extensions were presented as satellite imagery tools, map services, news readers, productivity aids and search helpers, but shared a common technical pattern: they used Chrome’s settings override mechanism to make their own search route the browser default.
Security researchers who mapped the operation identified 22 publishers and at least eight monetisation brokers linked through tracking parameters inside final Yahoo search redirect URLs. The affected extensions include high-install items such as PerfecTab Search, Quick Search Tool and Better Search, each listed at about 100,000 users, along with NewTab. Search at about 70,000 users and several map, video, menu and navigation-themed tools with smaller user bases.
The issue matters because search queries can reveal health concerns, financial worries, workplace activity, travel plans, political interests and login destinations. Once routed through third-party middleware, those queries may be logged alongside IP addresses, device identifiers and other technical data. The same control over traffic also creates an escalation risk: operators that can redirect search requests can later point users towards phishing pages, credential-harvesting sites or malicious downloads without needing to push a visible extension update.
The SearchJack findings underline a broader weakness in the browser-extension economy. Many extensions do not need broad permissions to change a user’s search path. Some in the campaign were minimal “shell” extensions, containing little beyond a manifest file and a default-search instruction. That simplicity can help them appear low-risk in static review because they may lack background scripts, content scripts or intrusive permission prompts.
Other extensions appeared to add just enough visible functionality to justify installation. Map viewers, video libraries and search-switching interfaces can make a product look useful while the main commercial activity happens through hidden redirect chains. Search Toggler, one of the named extensions, was flagged for a routing design in which user queries passed through operator middleware even when the interface suggested a choice of search engine.
Chrome’s documentation allows extensions to override selected settings, including search behaviour, but the Chrome Web Store’s policy framework places responsibility on developers to avoid misleading behaviour and respect user expectations. Users are also normally asked to confirm search-engine changes when an extension alters the default search setting. SearchJack raises questions over whether confirmation prompts and listing disclosures are enough when the commercial routing layer is buried behind technical parameters.
Checks of named Chrome Web Store listings show why the problem is difficult for users to judge. PerfecTab Search, listed with about 100,000 users, describes itself as a default search extension and states that it does not collect or use user data. Better Search, also listed with about 100,000 users, discloses handling personally identifiable information, web history, user activity and website content, while promoting Yahoo-powered results from the address bar.
The operation also highlights the role of brokers. Affiliate identifiers such as trp, infospace, flowsurf, adk, becovi, imageadvan, mnet, fc and dcola were linked to the search flows. This broker-led model means individual extensions can be removed or replaced while revenue relationships and hosted-search pathways continue elsewhere. For platform operators, that makes enforcement against single listings less effective than action against account clusters, domains and partner identifiers.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
