image: envato by Image-Source
A Chrome extension posing as an Amazon ad blocker was caught hijacking affiliate links in the background, redirecting commissions without user consent.
A Chrome browser extension advertised as a way to hide sponsored ads on Amazon has been caught quietly hijacking affiliate links in the background, redirecting commissions to its developer without users’ knowledge.
Socket researchers found that the extension, Amazon Ads Blocker, replaces existing creator affiliate tags with its own identifier on every Amazon product link.
The extension “… automatically injects the developer’s affiliate tag (10xprofit-20) into every Amazon product link and replaces existing affiliate codes from content creators,” the researchers said in their analysis.
This case illustrates how browser extensions can quietly abuse their privileged access to web content while presenting themselves as legitimate productivity tools.
Although Amazon Ads Blocker appears to function as advertised, its hidden behavior reveals a deliberate monetization scheme operating beyond user visibility or control.
Socket’s research confirmed that Amazon Ads Blocker is not an isolated example, but part of a coordinated network of at least 29 extensions targeting major e-commerce platforms, including Amazon, AliExpress, Best Buy, Shopify, and Shein.
The shared infrastructure, consistent affiliate identifiers, and repeated policy violations across multiple extensions strongly suggest intentional affiliate hijacking rather than a one-off compliance mistake.
From a technical perspective, the extension operates in two distinct layers.
The first is its visible functionality: a basic ad-blocking mechanism that uses CSS selectors to identify and hide sponsored product listings on Amazon pages. By targeting known ad-related elements, the extension successfully removes sponsored content, reinforcing the impression that it exists solely to improve the shopping experience.
The second layer runs silently in the background.
When a page loads, a content script scans all Amazon product links that match common URL patterns such as /dp/ or /gp/product/. If an affiliate tag is already present, the script replaces it with the developer’s tag, 10xprofit-20. If no tag exists, the script automatically appends one.
To ensure persistence, a MutationObserver continuously watches the page for changes and re-applies the affiliate tag whenever new products are loaded through infinite scroll or dynamic page updates. This behavior is entirely opaque to users. The extension’s interface offers only ad-blocking controls, with no settings, disclosures, or prompts regarding affiliate link modification.
Researchers confirmed that the injection occurs automatically on page load, requires no user interaction, and cannot be disabled. This lack of transparency and consent places the extension in direct violation of Chrome Web Store policies, which prohibit automatic affiliate injection and the replacement of existing affiliate codes.
Browser extensions remain a common blind spot for both users and security teams, often receiving less scrutiny than traditional software despite their broad access to web content.
As this campaign shows, seemingly benign extensions can conceal monetization abuse that impacts users, creators, and organizations alike.
Addressing this risk requires more than simple removal — it calls for tighter controls, better visibility into extension behavior, and clear response processes.
Collectively, these measures help contain the impact of extension-based abuse, reduce the blast radius when issues arise, and strengthen long-term resilience against similar browser-level threats.
This article was originally published on our sister site, eSecurityPlanet.
Ken Underhill is an award-winning cybersecurity professional, bestselling author, and seasoned IT professional. He holds a graduate degree in cybersecurity and information assurance from Western Governors University and brings years of hands-on experience to the field.
