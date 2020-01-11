Loading...

Enlarge / The Amazon logo at the entrance of a logistics center in France, July 2019.

Days before Christmas, at the height of the last minute rush of shopping, a threatening message appeared on Amazon.com. Customers who used a popular browser extension called Honey were warned that the service that promised to track prices and discount codes was a “security risk”.

“Honey keeps track of your personal shopping habits, collects data such as your order history and stored items, and can read or change your information on any website you visit,” the report said. “To keep your data private and secure, uninstall this extension immediately.” A hyperlink followed, through which users could learn how this works. Screenshots of the warning have been posted on forums and social media by Honey users such as Ryan Hutchins, an editor at Politico.

Honey is not an obscure browser extension from an unknown developer. The startup founded in 2012 and based in Los Angeles now has over 17 million users. With tens of thousands of online retailers, including Amazon, discount codes are found that help shoppers save money. In November, PayPal agreed to buy Honey for a staggering $ 4 billion. The acquisition was completed this week.

Amazon’s warning, which started on December 20, confused and annoyed many Honey users, some of whom complained on official social media channels. The browser extension has been compatible with Amazon since it was founded and has made a significant contribution to Honey’s success. Amazon is one of the most popular retailers in the world and the place where most Americans start looking for a product online.

Amazon declined to explain why it decided to suddenly call Honey a security risk last month. “Our goal is to warn customers of browser extensions that collect personal shopping information without their knowledge or consent,” said a company spokesman. They declined to answer further questions based on this claim.

When users install the Honey extension on their browser, they agree to the company’s terms of use and privacy and security policies. While this type of agreement can be dense and difficult to interpret for the average person, Honey doesn’t seem to collect consumer information without demand, as Amazon WIRED indicated. The privacy policy states that “Your search engine history, email, or browsing websites that are not retail sites are not logged.”

“We only use data in a way that Honey members benefit directly – by helping people save money and time – and in a way that they would expect. Our commitment is clearly stated in our privacy and security policy, ”a Honey spokesman told WIRED.

Honey also says that it does not sell the purchasing data collected from customers. The company makes money by charging some retailers a small percentage of the sales made with the coupons found – but Amazon has never been one of them.

Amazon’s security warning last month surprised Honey and the company tried to respond. Some features of Honey had to be temporarily disabled, e.g. B. Droplist, which records the price of certain items to prevent the message from being shown to more people. The changes were not announced in an official blog post or message to users.

“We are aware that Droplist and other Honey features have not been available on Amazon for a limited time. We know that these are tools that people love and that have worked quickly to restore functionality. Our extension poses no security risk and is safe to use, ”said a Honey spokesman.

Browser extensions can be incredibly invasive, and it’s still good practice to be careful when installing them on your browser. Amazon warned Honey users that the extension “can read or change all of your data on any website you visit,” but this is a basic functionality of many extensions – which is why it is important to install only those that you can trust. In fact, Amazon has its own browser extension called Amazon Assistant. It also tracks prices, just like Honey, and allows you to compare items from other retailers with those from Amazon. When users install Amazon Assistant from the Chrome Store, Google notifies them that “they can read and change all of your data on the websites they visit”.

Honey says it regularly works with security companies to assess protection. Last summer, researchers at cyber security company Risk Based Security documented a vulnerability in the Honey extension that malicious websites could exploit to steal user information. However, the bug did not affect Honey’s data collection practices and was patched to Firefox and Google Chrome in early 2019, according to Risk Based Security. “If an individual or an independent researcher contacts us about a potential vulnerability, we will contact that person to understand and correct the problem (if there is one),” said the Honey spokesman.

There is still a chance that Amazon found a legitimate security issue with Honey, but it doesn’t say what. WIRED has also contacted Google and Firefox, which are saved by every host extension for their common web browsers. However, none of the companies could comment immediately.

Amazon extremely protects its shopping and customer data. Honey may not have been a problem when it was a small startup. Today it belongs to the financial group PayPal, which was formerly part of eBay, an Amazon competitor. Amazon still doesn’t accept PayPal as a direct payment option. There is no incentive to play nicely in the e-commerce world.

This story originally appeared on wired.com.