Amazon's browser extension "Assistant" can track everything you do on the web and even change the content of non-Amazon web pages that appear in your browser, according to a prominent web browser expert
Wladimir Palant, a Germany-based coder who manages the Adblock Plus extension, wrote in a blog post yesterday (March 8) that Amazon Assistant "captures complete information about a user's browsing behavior, logged-in accounts and even manipulate websites in an almost arbitrary way"
Palant made it clear that there is no evidence that Amazon is actually doing this However, he said the extension has so many privileges that it is worth worrying about because it is designed to allow Amazon to change the extension's capabilities at any time without a formal update
"I was astonished to discover that Amazon has built a perfect machine that can track every Amazon Assistant user and everyone of them, including what they are looking at and how much, what they are searching for on the web, and which accounts they are logged into," Pallant wrote He writes [Amazon can also tinker with the web experience at will, hijacking a competitor's web shop, for example [Amazon Assistant is available for Chrome, Edge, Firefox, Opera, and their compatible browsers; it has more than 7 million installs on Chrome and nearly 500,000 on Firefox, and there is also an Android app, Palant said, Palant estimates that the total number of users of this browser extension will exceed 10 million
The purpose of the Amazon Assistant extension is simple price comparison When you are shopping online, or at least browsing for products you might buy, Amazon Assistant will tell you how much the item costs on Amazon
The extension also allows you to see if the price of an item has changed on Amazon, add items to your Amazon wish list or registry, subscribe to Amazon transaction alerts, and get updates on the delivery of items you have ordered from Amazon
However, the system does not allow you to change the price of an item
However, to compare prices, Amazon Assistant needs to "see" what is listed on other website pages To alert it, it needs the ability to pop out windows on other website pages
Amazon Assistant's privacy notice also states that "Amazon Assistant collects and processes browsing information," and if you choose to "interact with Amazon Assistant," the extension "connects your browsing information to your Amazon account"
So far, this is all clarification from Amazon, but it is enough to raise several privacy red flags over the past few years However, Palant dug into the code of Amazon Assistant and found something else that might be even more alarming
Each time you install Amazon Assistant in your web browser, you are given a unique ID, Palant said This makes sense because the extension is tied to your Amazon account, but "even if you log out of Amazon and clear your (browser) cookies, this identifier persists, allowing Amazon to tie your activity to your identity " notes Palant
He also found that the extension is allowed to access tracking cookies and other types of cookies on any website, not just those owned by Amazon This goes beyond what is required to track only Amazon cookies And in Firefox (not Chrome), Palant said, Amazon Assistant has the power to manage, access, and even uninstall other extensions
Palant says he found something odd: Amazon Assistant loads processes from at least nine other Amazon websites
Some of these processes are quite powerful It can open and close new browser tabs, retrieve cookies for any site, access storage and settings for other extensions, inject code into any website displayed in any open tab, create items in any open tab, open any tabs, modify the presentation of information on any tab, or retrieve data from any open tab
For example, Amazon Assistant can add Amazon items to a rival retailer's shopping page displayed in the user's browser There is no evidence that this is actually done, but the capability is there
Oddly enough, according to Palant, it was easy to embed these processes directly into the Amazon Assistant code Because they are static JavaScript files
However, because these remote processes are not present in the Assistant itself, they can be modified in the code without updating the Assistant extension and without being noticed by either the end user or the browser developer (Google, Microsoft, Mozilla)
"There is no way to know that the code will always be the same," Pallant wrote He noted that different back-end assistant code repositories already exist for different languages
Palant said that since each installation of Amazon Assistant gets a unique ID, Amazon can provide custom JavaScript for a specific user That user's version of Amazon Assistant can have special capabilities that other Assistant installations do not have [If Amazon is spying on a subgroup of users (whether it is voluntarily or on behalf of a government agency), it would be almost impossible to detect this attack," Pallant wrote
So should we use Amazon Assistant? If you're a frequent Amazon shopper, especially if you get free shipping with Amazon Prime, the convenience would be hard to resist
However, Google already gives you a variety of prices just by typing in the product name, and CamelCamel tracks Amazon's price fluctuations
Again, there is no evidence that Amazon Assistant does anything beyond what is stated in its privacy policy Just that this extension can do more
Tom's Guide has reached out to Amazon for comment and will update this article as soon as we hear back
Comments