Amazon Accuses Honey Extension of Being a Security Risk

News
By Lucian Armasu
published

Even though the "Amazon Assistant" extension offers similar functionality.

(Image credit: Shutterstock)


A few Days before Christmas, Amazon started sending warnings to its websites’ visitors that their Honey browser extension, which tracks product prices and discounts, is a “security risk” and should be uninstalled. Honey, which was recently purchased by PayPal for $4 billion, has denied the claim.

Amazon’s message to its visitors said the following, according to Wired:

“Honey tracks your private shopping behavior, collects data like your order history and items saved, and can read or change any of your data on any website you visit. To keep your data private and secure, uninstall this extension immediately.”

The message was followed by a link to a page that gave instructions for how to uninstall the Honey extension.

Honey is a browser extension that tracks product prices and discounts online in order to alert its users about them. However, the only way for the extension to see those prices is if it has full access to the websites you visit, just like any other browser extension whose functionality relies on the data from the websites you visit.

Amazon’s accusation is not completely without merit, especially given that according to Amazon, the Honey extension also grabs purchase order information. That sort of highly valuable e-commerce data may help explain why PayPal thought the extension was worth $4 billion.

Most Honey users may not truly understand what they give in exchange for getting that product discount information. From this point of view, one could potentially see the application as malicious, but it’s not so different from any other online tracker. 

A Honey representative told Wired that:

“We only use data in ways that directly benefit Honey members—helping people save money and time—and in ways they would expect. Our commitment is clearly spelled out in our privacy and security policy.”

Last summer, researchers from security firm Risk Based Security identified a bug in the Honey extension that would have allowed attackers to steal Honey users’ personal information. Honey had already fixed the bug prior to the public disclosure, as the security researchers reported the issue to the company before going public.

However, Amazon’s warning may have been better received if its own Amazon Assistant extension didn’t require the same broad browser permissions to gather user data and didn’t have similar functionality to Honey. Like Honey, the Amazon Assistant extension also tracks users’ browsing behavior and compares the prices of Amazon’s own products to those on other stores.

Amazon’s warning against Honey may have been primarily self-serving, in order to keep that sort of e-commerce data for itself so that it doesn’t get into the hands of competitors. However, it ultimately made more users aware of the dangers of browser extensions that can track your browsing behavior. These extensions usually come with a browser permission such as: “read or change any of your data on any website you visit,” in case you’d like to avoid them.

There have also been cases of popular extensions being purchased by malware developers , with the extension’s capabilities then being turned against the user to steal their data or install malware on their PCs. Therefore, it pays to be more careful with the type of browser extensions you install and to do a little bit of research into what type of data they’re gathering from you.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
11 Comments Comment from the forums
  • Newtonius
    But.... but... Mr Beast wouldn't hurt or lie to us. He promised us,

    "Honey is a free browser add-on available on Google, Oprah, Firefox, Safari - if it's a browser, it has Honey. All you have to do is when you're checking-out on one of these major sites just click on that little orange button and it will scan the ENTIRE internet and find discount codes for you. As you see right here I'm on Hanes, you know I ordered some shirts because who doesn't like ordering shirts? We saved 11$! Dude our total is 55$ and after Honey it was 44. I clicked once and I saved 11$. There's literally NO reason not to install Honey, it takes 2 clicks. 10 million people use it, 100,000 reviews. Unless you hate money you should install Honey."

    With such a tear-jerking speech like that how can one turn their back on Honey?...
    Reply
  • Co BIY
    So the danger of the extension is now they will have all of Amazon's proprietary data on me.

    Nice. Honey is pretty heavily advertised. This is the problem with a large portion of a companies value being consumer data. It is so easily transferred and devalued.

    With threats like this I see Amazon and Google getting very interested in strong consumer protection regulations that will prevent other from easily amassing as much useful data as they have and leaving them with great piles of "legacy data".
    Reply
  • Math Geek
    that's exactly the issue, amazon and google want to be the only players in the game and can't believe anyone else wants to get into the data mining game.

    they'll do anything to stop it and protect their monopoly.

    hell i don't even have amazon on my phone and yet i still get very specific recommendation emails from them based on my last text conversation. so they even get to read my texts despite not even having the app on my phone at all!!!
    Reply
  • bit_user
    zOMG!! $4B for a freaking browser extension?? Uh, yeah they're gonna be collecting some serious data.

    Newtonius said:
    available on Google, Oprah, Firefox, Safari
    Had to lol at the substitution of Oprah for Opera. She should buy them out, just so she can do that.
    Reply
  • bit_user
    Math Geek said:
    hell i don't even have amazon on my phone and yet i still get very specific recommendation emails from them based on my last text conversation. so they even get to read my texts despite not even having the app on my phone at all!!!
    It's your cellular carrier that's almost certainly spying on you, and just selling the data to probably anyone willing to pay for it.

    If you recall, one of the first acts of the 2017 Congress was to repeal the FCC regulation that prevented ISPs from spying on their customers. I don't know if the same regulation covered your case, or if it was something similar.
    Reply
  • Math Geek
    not sure, but it would not surprise me if there isn't a direct link in the firmware straight to amazon with open access to the phone.

    normally when i am surprised by the emails there is less than 10 minutes since the conversation. so whatever they have set-up it is pretty freaking fast in how it works/reacts.
    Reply
  • sykozis
    Math Geek said:
    not sure, but it would not surprise me if there isn't a direct link in the firmware straight to amazon with open access to the phone.

    normally when i am surprised by the emails there is less than 10 minutes since the conversation. so whatever they have set-up it is pretty freaking fast in how it works/reacts.
    A few months ago, I was having a conversation with a co-worker, and within minutes I had e-mail from amazon about the exact item we were discussing, as well as having an ad on FB about it.....and Google had already gone through the trouble of finding the Tomshardware article on the item....

    A few weeks ago, another co-worker and I were discussing movies. I get home, and Google Play Movies is recommending every movie we had discussed.

    That's a little freaky....
    Reply
  • Math Geek
    yup it's a known fact they listen in whether you have the voice recognition turned on or not.

    but so long as they are making money and buying the gov to stay out of it, we'll never see any rules stopping the big brother eavesdropping.

    especially when one of the perks for the gov is free access to the surveillance data.
    Reply
  • bit_user
    Math Geek said:
    we'll never see any rules stopping the big brother eavesdropping.
    Well, the FCC did have a rule preventing ISPs from spying on their customers, until the Republican Congress passed a law to strike it down and enable the practice.

    https://commonwealthmagazine.org/economy/what-the-heck-are-you-thinking/
    So, I suppose it could always come back. However, it would now require another law to override the first, and re-introduce a ban on the practice. Something to think about, this November.

    The final vote was 215 to repeal the privacy rules with 205 votes to keep them in place. Voting was mostly along party lines, though 15 Republicans broke rank to vote against the resolution. No Democrats voted in its favor.
    https://www.consumerreports.org/consumerist/house-votes-to-allow-internet-service-providers-to-sell-share-your-personal-information/
    215 to 205 - that's actually closer than I thought. So, it does actually matter who we elect, and it does matter whether we tell them what we care about and hold them to account.

    Finally, to temper your cynicism, consider that your government was looking out for you, but you probably didn't know or care until that got shut down. But, the thing to keep in mind is that The People put those politicians in office, who struck down the rule, and then didn't send a loud enough message that they value their privacy rights. If you don't take your values into the voting booth and contact your elected officials to let them know how you feel, the outcome should not be too surprising.

    The worst thing about cynicism is that it's ultimately self-fulfilling.
    Reply
  • Math Geek
    none of that has anything to do with what we were complaining about :)

    google/facebook/amazon/honey extension etc etc etc are not my isp. there was a rule in place for the isp's which you noted got thrown out. but there has never been and as i said above, won't be anything stopping the extensive intrusions these other companies make billions off of every year. it just gets worse and worse and more and more gets connected. amazon sees my browsing, buying habits online and now my conversations on my mobile and so on and so on. i can also put a box in my house where they can listen to everything going on there and put one on my tv so they can know all my tv habits as well. throw in them buying my credit card and medical records and what does amazon/facebook/google etc etc etc not know about me??

    they have bought the gov and write the rules themselves literally. so as true as your comments are, they really don't pertain to this article nor the comments here.
    Reply