26. February 2026
Cyber Experts Uncover Dark Secret Behind Ad-Blocking Extensions
The rise of ad-blocking extensions has been a double-edged sword for online content creators and consumers alike. These extensions have provided a convenient way to block unwanted advertisements and enhance the overall browsing experience. However, a recent discovery by cybersecurity researchers has revealed that some of these seemingly innocuous extensions have been secretly compromising user data and stealing valuable information.
Several Google Chrome extensions have been identified as hijacking Amazon affiliate links, intercepting ChatGPT authentication tokens, and exfiltrating sensitive user data. The malicious behavior is largely attributed to a few popular ad-blocking extensions with millions of downloads.
One such extension is Amazon Ads Blocker, which has an astonishing 1 million+ combined downloads on the Chrome Web Store. This extension appears to block ads, but in reality, it injects its own affiliate tag into every Amazon product link, replacing existing codes. Content creators who share these modified links risk losing commissions on their sales.
The extent of this malicious behavior was first uncovered by Socket researcher Kush Pandya in late January. His team identified a coordinated cluster of 29 browser extensions targeting various e-commerce platforms, including AliExpress, Amazon, Best Buy, Shein, Shopify, and Walmart. These extensions scan product URLs for affiliate tags without requiring user interaction and replace them with the attacker’s code.
When there are no tags, they simply add their own ID. This not only violates Chrome Web Store policies but also allows the attackers to scrape product data and exfiltrate it to a malicious server. The implications of this malicious behavior extend beyond the loss of commissions for content creators. These extensions can potentially compromise user trust and lead to financial losses for online businesses.
Researchers at LayerX have identified 16 malicious extensions (15 on Chrome, one on Edge) that intercept ChatGPT session authentication tokens by injecting content scripts into ChatGPT.com. When users sign in to ChatGPT in their browser, their session remains active using a hidden token. These extensions inject their own code into ChatGPT, allowing them to monitor traffic and access user data without their knowledge or consent.
With this malicious token, an attacker can view the user’s chat history, access their profile information, and even use their password without requiring two-factor authentication. This level of access is equivalent to having the keys to the kingdom, as ChatGPT users’ data is essentially being stolen from under their noses.
According to Broadcom-owned Symantec, four extensions with 100,000+ combined users (Good Tab, Children Protection, DPS Websafe, and Stock Informer) are actively stealing data from unsuspecting users. These malicious extensions include:
- Good Tab: This extension appears to block ads but is secretly injecting affiliate tags into product links, allowing the attacker to earn commissions on sales.
- Children Protection: Researchers at LayerX discovered that this extension intercepts ChatGPT session authentication tokens by injecting content scripts into the platform.
- DPS Websafe: Symantec flagged this extension for stealing user data, including browsing history and login credentials.
- Stock Informer: This extension is also being used to exfiltrate sensitive user information, including email addresses and phone numbers.
Google has since removed Amazon Ads Blocker from the Chrome Web Store, citing a violation of its policies. In light of this revelation, content creators must be cautious when sharing links or using ad-blocking extensions. They should verify the authenticity of any extension before installing it and regularly monitor their account activity for signs of malicious behavior.
As we move forward in an increasingly digital world, online platforms must prioritize user security and transparency. By doing so, they can create a web where users feel confident sharing links, chatting with AI assistants, or shopping online without worrying about their data being compromised.