A few Days before Christmas, Amazon started sending warnings to its websites’ visitors that their Honey browser extension, which tracks product prices and discounts, is a “security risk” and should be uninstalled. Honey, which was recently purchased by PayPal for $4 billion, has denied the claim.
Amazon’s message to its visitors said the following, according to Wired:
“Honey tracks your private shopping behavior, collects data like your order history and items saved, and can read or change any of your data on any website you visit. To keep your data private and secure, uninstall this extension immediately.”
The message was followed by a link to a page that gave instructions for how to uninstall the Honey extension.
Honey is a browser extension that tracks product prices and discounts online in order to alert its users about them. However, the only way for the extension to see those prices is if it has full access to the websites you visit, just like any other browser extension whose functionality relies on the data from the websites you visit.
Amazon’s accusation is not completely without merit, especially given that according to Amazon, the Honey extension also grabs purchase order information. That sort of highly valuable e-commerce data may help explain why PayPal thought the extension was worth $4 billion.
Most Honey users may not truly understand what they give in exchange for getting that product discount information. From this point of view, one could potentially see the application as malicious, but it’s not so different from any other online tracker.
A Honey representative told Wired that:
“We only use data in ways that directly benefit Honey members—helping people save money and time—and in ways they would expect. Our commitment is clearly spelled out in our privacy and security policy.”
Last summer, researchers from security firm Risk Based Security identified a bug in the Honey extension that would have allowed attackers to steal Honey users’ personal information. Honey had already fixed the bug prior to the public disclosure, as the security researchers reported the issue to the company before going public.
However, Amazon’s warning may have been better received if its own Amazon Assistant extension didn’t require the same broad browser permissions to gather user data and didn’t have similar functionality to Honey. Like Honey, the Amazon Assistant extension also tracks users’ browsing behavior and compares the prices of Amazon’s own products to those on other stores.
Amazon’s warning against Honey may have been primarily self-serving, in order to keep that sort of e-commerce data for itself so that it doesn’t get into the hands of competitors. However, it ultimately made more users aware of the dangers of browser extensions that can track your browsing behavior. These extensions usually come with a browser permission such as: “read or change any of your data on any website you visit,” in case you’d like to avoid them.
There have also been cases of popular extensions being purchased by malware developers , with the extension’s capabilities then being turned against the user to steal their data or install malware on their PCs. Therefore, it pays to be more careful with the type of browser extensions you install and to do a little bit of research into what type of data they’re gathering from you.