linkbay

Detecting Affiliate Hijacks

Learn how affiliate tag hijacking works and how to protect your creators with Linkbay.

What is Affiliate Hijacking?

Affiliate hijacking occurs when a malicious actor replaces a creator's affiliate tag with their own before the user completes a purchase. This steals commission from the creator who actually drove the sale.

Common Hijacking Methods

  • Browser Extensions: Coupon and cashback extensions often inject their own affiliate tags at checkout
  • URL Manipulation: Scripts that rewrite affiliate parameters in the URL
  • Cookie Overwriting: Dropping new affiliate cookies that override the original
  • Redirect Chains: Sending users through intermediary pages that add new tags

How Linkbay Detects Hijacks

When a creator generates a Linkbay-protected link, we record the original affiliate tag. When clicked:

  1. We log the click with the expected tag
  2. We append a unique lb_click ID to the redirect URL
  3. We send a webhook with the expected tag to your server
  4. At checkout, you compare the arrived tag with the expected tag

If they don't match, a hijack has occurred.

Implementation Patterns

Pattern 1: Webhook + Cache

Best for high-traffic sites. Cache webhook data and check at checkout.

// Store webhooks in Redis
import Redis from 'ioredis';
const redis = new Redis();

// Webhook handler
export async function handleWebhook(data) {
  await redis.setex(
    `click:${data.click_id}`,
    3600, // 1 hour TTL
    JSON.stringify({
      expectedTag: data.expected_tag,
      creatorId: data.creator_id,
    })
  );
}

// At checkout
export async function verifyClick(clickId: string, arrivedTag: string) {
  const cached = await redis.get(`click:${clickId}`);

  if (!cached) {
    // Fallback to API
    return await lookupClickAPI(clickId, arrivedTag);
  }

  const { expectedTag, creatorId } = JSON.parse(cached);

  return {
    isHijacked: expectedTag !== arrivedTag,
    expectedTag,
    arrivedTag,
    creatorId,
  };
}

Pattern 2: API-Only

Simpler setup. Call the API at checkout without webhooks.

// At checkout - call API directly
export async function verifyAtCheckout(clickId: string, arrivedTag: string) {
  const res = await fetch(
    `https://api.linkbay.io/api/v1/merchant/lookup-click?click_id=${clickId}`,
    { headers: { 'X-API-Key': process.env.LINKBAY_API_KEY } }
  );

  if (!res.ok) {
    // Click expired or not found - proceed with arrived tag
    return { isHijacked: false, tag: arrivedTag };
  }

  const { expectedTag } = await res.json();

  if (expectedTag !== arrivedTag) {
    console.log('Hijack detected!');
    return { isHijacked: true, tag: expectedTag }; // Use the real tag
  }

  return { isHijacked: false, tag: arrivedTag };
}

Pattern 3: Hybrid (Recommended)

Use webhooks when available, API as fallback.

export async function verifyClick(clickId: string, arrivedTag: string) {
  // Try cache first (from webhook)
  const cached = await getFromCache(clickId);

  if (cached) {
    return {
      isHijacked: cached.expectedTag !== arrivedTag,
      expectedTag: cached.expectedTag,
      source: 'webhook',
    };
  }

  // Fallback to API
  const apiResult = await lookupClickAPI(clickId);

  if (!apiResult) {
    return { isHijacked: false, source: 'not_found' };
  }

  return {
    isHijacked: apiResult.expectedTag !== arrivedTag,
    expectedTag: apiResult.expectedTag,
    source: 'api',
  };
}

Handling Hijack Detection

When you detect a hijack, you have several options:

Option 1: Silent Correction

Quietly credit the correct creator without alerting the user.

if (result.isHijacked) {
  // Use expectedTag for commission
  await recordAffiliateCommission(result.expectedTag, order);
}

Option 2: User Notification

Let users know their extension may be interfering.

if (result.isHijacked) {
  showNotification(
    'A browser extension modified your affiliate link. ' +
    'The original creator will still receive credit.'
  );
}

Option 3: Analytics Only

Track hijacking rates without changing attribution (for analysis).

if (result.isHijacked) {
  await analytics.track('hijack_detected', {
    clickId,
    expectedTag: result.expectedTag,
    arrivedTag,
    orderId: order.id,
  });
}

Best Practices

  • Always credit the expected tag. This is the creator who actually drove the traffic.
  • Log hijacking attempts. Track patterns to identify bad actors.
  • Use both webhooks and API. Webhooks are faster; API is a reliable fallback.
  • Handle edge cases gracefully. If click data is not found, fall back to normal attribution.
  • Keep click data for 1 hour. Most conversions happen within this window.

Testing Your Integration

Simulate a hijack to test your detection:

  1. Create a Linkbay link with tag REAL_CREATOR
  2. Click the link to arrive at your product page
  3. Manually change the tag URL parameter to FAKE_TAG
  4. Proceed to checkout
  5. Verify your system detects the mismatch and credits REAL_CREATOR

Reporting to Linkbay

Use the Verify Click API to report hijacking attempts. This data helps us identify patterns and improve protection for all merchants.