Amazon Assistant browser extension is built to spy on you, web expert says

1. Home
2. News
3. Amazon

Amazon Assistant browser extension is built to spy on you, web practiced says

(Image credit: Shutterstock)

Amazon'due south Assistant browser extension can exist used to rail everything you do on the spider web and can fifty-fifty change the content of non-Amazon spider web pages displayed in your browser, says a prominent web-browser proficient.

Wladimir Palant, a Germany-based coder whose company maintains the Adblock Plus extension, argued in a blog post yesterday (March 8) that Amazon Banana has so much ability that it could exist used "to get total information on the user's browsing behavior, extract information near accounts they are logged into and even manipulate websites in an almost arbitrary style."

• The best ad blockers
• Plus: This Amazon trick volition help you snag PS5 and Xbox Series X restock

Palant made very clear that there's no show that Amazon is actually doing any of this. But he said the extension has so many privileges, and is designed so that Amazon could alter the extension's abilities at whatsoever time without formal updates, that information technology'southward something worth worrying nigh.

"I was astonished to detect that Amazon congenital the perfect mechanism to let them rail whatsoever Amazon Banana user or all of them: what they view and for how long, what they search on the web, what accounts they are logged into and more than," wrote Palant.

"Amazon could also mess with the web feel at will and, for case, hijack competitors' web shops."

What Amazon Assistant does

Amazon Assistant is bachelor for Chrome, Edge, Firefox, Opera and browsers compatible with those. It's got more than than 7 1000000 installations in Chrome and nearly half a million in Firefox, and there is also an Android app. Palant estimates that the browser extensions may have more than 10 million users overall.

The goal of the Amazon Assistant extension is simple price comparison. When you lot're shopping online, or at to the lowest degree browsing for items you might buy, Amazon Assistant can tell you how much an detail costs on Amazon.

The extension also lets you see whether an item's price has changed on Amazon, add together items to your Amazon wish lists and registries, sign up for Amazon deal alerts and get shipping updates on items you've ordered from Amazon.

"Fifty-fifty if you log out of Amazon and clear your [browser] cookies, this identifier will persist and allow Amazon to connect your activity to your identity." - Wladimir Palant

In order to compare prices, still, Amazon Banana has to "see" what's on other websites' pages. To give you alerts, information technology needs the ability to put pop-out windows over other sites' pages.

The Amazon Banana privacy notice also states that "Amazon Assistant collects and processes browsing data" and, if you cull to "interact with Amazon Banana", so the extension "connect browsing information with your Amazon Account."

So far, this is all stuff that Amazon is articulate about, although information technology's plenty to have raised some privacy cherry-red flags in the past few years. But Palant dug into Amazon Banana'due south code and found other things that might exist fifty-fifty more than alarming.

What Amazon Assistant could exercise

Each installation of Amazon Assistant in a web browser is given a unique ID, Palant said. That makes sense as the extension is tied to your Amazon account, but Palant notes that "even if you log out of Amazon and clear your [browser] cookies, this identifier will persist and allow Amazon to connect your activeness to your identity."

He also discovered that the extension is allowed to access tracking cookies and other types cookies on whatever website, not simply Amazon-endemic sites. This goes across what is necessary to track just Amazon cookies. And in Firefox (only non Chrome), Palant said Amazon Assistant has the power to manage, access and even uninstall other extensions.

Palant says he found something strange: Amazon Banana loads processes from at least ix other Amazon websites.

Some of these processes are pretty powerful. They can open and close new browser tabs, get any site'south cookies, admission other extensions' storage and settings, inject code into any website displayed in whatsoever open tab, create items on any open up tab, alter the presentation of information in whatsoever open up tab, and get data from any open tab.

For example, Amazon Assistant could add Amazon items to a rival retailer's shopping page displayed in the user's browser. In that location'south no evidence this is really beingness washed, merely the ability is there.

The odd affair, Palant says, is that it would have been just equally easy to embed these processes direct into Amazon Assistant'southward lawmaking. They're just static JavaScript files.

But because these remote processes are not in Banana itself, their code can be changed without updating the Assistant extension, and without either the end user or the browser developer — Google, Microsoft or Mozilla — noticing.

"There is no way of knowing that it is always the same code," Palant wrote. He pointed out that there are already different back-stop Banana code repositories for dissimilar languages.

Palant said that, given the unique ID each installation of Amazon Banana gets, that Amazon could serve up custom JavaScript for a specific user. That user'southward version of Amazon Assistant could take special abilities that other installations of Assistant don't take.

"If Amazon is spying on a subgroup of their users (be information technology out of their accord or on behalf of some government agency), this attack would be about impossible to detect," Palant wrote.

Should you use Amazon Assistant?

So should you lot use Amazon Assistant? If you're a heavy Amazon shopper, and especially if you get free shipping through Amazon Prime, the convenience is pretty difficult to resist.

But Google already gives you a gamut of prices if you just type in a production proper name; CamelCamelCamel tracks Amazon prices changes; and Amazon itself lets you easily track shipments and add items to a list.

Over again, at that place's no bear witness that Amazon Assistant is doing anything beyond what its privacy policy states. It's just that the extension could do so much more.

Tom'southward Guide has reached out to Amazon for comment, and we will update this story when we receive a answer.

Paul Wagenseil is a senior editor at Tom'due south Guide focused on security and privacy. He has likewise been a dishwasher, fry cook, long-haul commuter, lawmaking monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom'due south Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel give-and-take at the CEDIA home-applied science briefing. You can follow his rants on Twitter at @snd_wagenseil.

Source: https://www.tomsguide.com/news/amazon-assistant-privacy

Posted by: wilderuppoorning.blogspot.com

Share this post