![](\"https:\/\/media.wired.com\/photos\/5e152e487ecdd100083410fe\/master\/pass\/business%20-%20feature%20art%20-%20paypal%20amazon%20honey%20-%20532785401%20-%20172798925.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Louise Matsakis| Date: Thu, 09 Jan 2020 20:01:44 +0000<\/strong><\/p>\n Louise Matsakis<\/span><\/a><\/span> <\/span><\/p>\n The retail giant warned holiday shoppers that Honey, a popular browser extension, was a \u201csecurity risk.\u201d Honey denies the claim.<\/p>\n Days before Christmas, at the height of the last-minute holiday shopping rush, an ominous message appeared on Amazon.com<\/a>. It warned shoppers who used a popular browser extension called Honey<\/a> that the service, which promises to track prices and discount codes, was \u201ca security risk.\u201d<\/p>\n \u201cHoney tracks your private shopping behavior, collects data like your order history and items saved, and can read or change any of your data on any website you visit,\u201d the message read. \u201cTo keep your data private and secure, uninstall this extension immediately.\u201d It was followed by a hyperlink where users could learn how to do so. Screenshots of the warning were posted to forums and social media by Honey users, like Ryan Hutchins, an editor at Politico<\/em>.<\/p>\n https:\/\/twitter.com\/ryanhutchins\/status\/1208134077917913088<\/a><\/p>\n Honey isn\u2019t some obscure browser extension from an unknown developer. Founded in 2012, the Los Angeles-based startup now boasts over 17 million users. It finds discount codes to save shoppers money at tens of thousands of online retailers, including Amazon. In November, PayPal agreed to purchase<\/a> Honey for an eye-popping $4 billion, its largest deal ever. The acquisition was completed this week.<\/p>\n Amazon\u2019s warning, which began appearing on December 20, confused and angered many of Honey\u2019s users, some of whom complained on its official social media channels. The browser extension has been compatible with Amazon since it was founded, and it is a significant part of Honey\u2019s appeal. Amazon is one of the most popular retailers<\/a> in the world and the place where most Americans<\/a> begin when looking for a product online.<\/p>\n Amazon declined to explain why it decided to label Honey a security risk so suddenly last month. \u201cOur goal is to warn customers about browser extensions that collect personal shopping data without their knowledge or consent,\u201d a spokesperson for the company said in a statement. They declined to answer follow-up questions about the basis for that claim.<\/p>\n When people install the Honey extension in their browser, they consent to the company\u2019s terms of use<\/a> and privacy and security policy<\/a>. While these kinds of agreements<\/a> can be dense and difficult for the average person to interpret, Honey doesn\u2019t appear to be collecting consumer information without asking, as Amazon implied to WIRED. Its privacy policy states that it doesn\u2019t \u201ctrack your search engine history, emails, or your browsing on any site that is not a retail website.\u201d<\/p>\n \u201cWe only use data in ways that directly benefit Honey members\u2014helping people save money and time\u2014and in ways they would expect. Our commitment is clearly spelled out in our privacy and security policy,\u201d a spokesperson for Honey told WIRED.<\/p>\n Honey also says that it doesn\u2019t sell the shopping data<\/a> it gleans from customers. The company makes money by charging some retailers a small percentage of sales made with the coupons it finds\u2014but Amazon has never been one of them.<\/p>\n Is there something you think we should know about these companies? Email the writer at louise_matsakis@wired.com<\/a>. Signal: 347-966-3806. WIRED protects the confidentiality of its sources, but if you wish to conceal your identity, here are the instructions for using SecureDrop<\/a>. You can also mail us materials at 520 Third Street, Suite 350, San Francisco, CA 94107.<\/p>\n Amazon\u2019s security warning last month caught Honey by surprise, and the company scrambled to respond. It was forced to temporarily disable several of Honey\u2019s features\u2014like Droplist, which tracks the price of specific items\u2014to prevent the message from appearing to more people. The changes weren\u2019t announced in an official blog post or message to users.<\/p>\n \u201cWe\u2019re aware that Droplist and other Honey features were not available on Amazon for a period of time. We know these are tools that people love and worked quickly to restore the functionality. Our extension is not\u2014and has never been\u2014a security risk and is safe to use,\u201d a Honey spokesperson said.<\/p>\n Browser extensions can be incredibly invasive, and it\u2019s still a good practice<\/a> to be wary of any that you install in your browser. Amazon warned Honey users that the extension can \u201cread or change any of your data on any website you visit,\u201d but this is a basic functionality of many extensions\u2014which is why installing only ones you can trust is important. In fact, Amazon has a browser extension of its own called Amazon Assistant<\/a>. It also tracks prices, just like Honey, and allows you to compare items on other retailers to those on Amazon. When users install Amazon Assistant from the Chrome Store, Google also notifies them it can \u201cread and change all your data on the websites you visit.\u201d<\/p>\n Honey says it regularly engages with security firms to assess its protections. Last summer, researchers from the cybersecurity firm Risk Based Security documented<\/a> a vulnerability in Honey\u2019s extension that malicious websites could exploit to steal user information. But the bug didn\u2019t concern Honey\u2019s own data-collection practices, and it was patched on Firefox and Google Chrome in early 2019, according to Risk Based Security. \u201cIf ever an individual or independent researcher contacts us about a potential vulnerability, we engage with that person to understand and remedy the issue (if there is one),\u201d the Honey spokesperson said.<\/p>\n There\u2019s still the possibility that Amazon found a legitimate security problem with Honey, but it won\u2019t say what. WIRED also reached out to Google and Firefox, which each host extension stores for their popular web browsers, but neither company could immediately comment.<\/p>\n Amazon is extremely protective of its shopping and customer data<\/a>. While Honey may not have been a concern when it was only a small startup, it\u2019s now owned by the financial behemoth PayPal, which used to be part of eBay, an Amazon competitor. Amazon still doesn\u2019t accept<\/a> PayPal as a direct payment option. In the ecommerce world, there\u2019s no incentive to play nice.<\/p>\n