Michael Horowitz
Home => NBC News promotes a web browser extension that can spy on you
[Formatted for Printing] From the personal web site of  Michael Horowitz

Many organizations promote the Honey browser extension that can spy on you

The issue of promoting browser extensions that can read and update every web page, keeps getting worse. When this blog started, it focused solely on NBC news. But, it keeps expanding...

UPDATE: March 16, 2018

This really bad. Malpractice even: The Simple, Serendipitous Joy of Browser Extensions by Justin Bank in The New York Times March 15, 2018.

Quoting from the article: "A few years ago, I installed a web browser extension that swapped out the word "millennial" any time it appeared on a website in my Chrome browser. In its place? The ridiculous phrase, "Snake People." Why? Well, why not."

Why not? How about the fact that the Millennials to Snake People Chrome browser extension can "Read and change all your data on the websites you visit". Browser extensions are not toys. How does no one at the Times not tell the author of his mistake before this gets published?

More articles on this subject:

Chrome Has a Malware Problem, and Google Needs to Fix It by Paul Wagenseil Nov 7, 2017
Quoting "Google's Chrome browser has been praised for continuously upgrading its own security. Chrome OS, which is based on the browser, is one of the safest operating systems in widespread use. So, then, why is Google doing such a poor job of screening Chrome extensions? At least half a dozen malicious Chrome extensions have been discovered in the past few months, most coming from the official Chrome Web Store. Some loaded adware and took users to sleazy websites. Others stole personal data or used victims' computers to "mine" cryptocurrencies ... Google needs to fix this problem now." This is an excellent article that cites many malicious Chrome browser extensions and many other people who have griped about this problem.

PSA: Beware the Image Downloader Chrome Adware Extension by Lawrence Abrams of BleepingComputer.com November 1, 2017
Quoting "This is a public service announcement that everyone should be careful when installing extensions from the Chrome Web Store. While most extensions are perfectly harmless, it is starting to become more and more common for unwanted and malicious extensions to be uploaded to the store and not be removed for quite a while ... only download extensions you really need and always check the extensions permissions before allowing it to install. Malicious extensions will typically try and get full permissions to modify any web traffic, which most extensions do not need."

Look Out: chrome extension malware has evolved by Lily Hay Newman January 30, 2018
Quoting "As with Android apps, though, Chrome extensions can sometimes hide malware or other scourges, even when you install them from the official Chrome Web Store ... a steady stream of recent research findings show that the problem, and risk to users, is far from resolved ... four malicious extensions in the Chrome Web Store that had more than 500,000 downloads combined. The extensions masqueraded as standard utilities ... [but] they were actually part of click-fraud scams to boost revenue for attackers. And the extensions requested enough privileges that they could have snooped even more, accessing things like user data, and tracking their behavior."
Without humans reviewing extensions, Chrome ends up with scam copies of popular extensions such as AdBlock Plus. One malicious extension, discovered by Morphus Labs, is as bad as bad gets. The extension was called 'Catch-All' and it mimicked an Adobe Acrobat installer. Once installed it "captured all the data users entered while browsing in Chrome ... including usernames and passwords."
- - - - - - - - - - - - - - - - - - - - - -

UPDATE: December 12, 2017

Protecting Your Data When Using Browser Extensions a great Tech Tip in the New York Times by J. D. Biersdorfer

- - - - - - - - - - - - - - - - - - -
UPDATE: November 29, 2017.

The Mozilla blog is promoting extensions to make online shopping better with Firefox.
Tackle Black Friday Shopping with the Help of Firefox Add-Ons November 20, 2017
Basically, this blog boils down to: it's all good. Save money. No privacy issues here.
READ AND UPDATE EVERY VISITED WEB PAGE? Nothing to see here, move along.

Here is what is says about Honey: "Coupon cutting never went out of style, it just went online! Honey is a very popular Firefox add-on that scours the internet for coupons relevant to the products you're shopping for. Searches coupons for over 100 stores in the US, UK and Canada"

And here is the "it's all good" intro to the piece: From ad blockers to password managers to smarter shopper applications, Firefox Add-ons really can add a lot of functionality to your web browser. They are very easy to install. And since more shopping happens online every year, it's super handy to have help finding the best deals and making it through Black Friday, Cyber Monday, and the entire rest of year with great gifts and more money in your pocket.

Then, after recommending some extensions, the blog ends with more "it's all good" verbiage promoting extensions: And if you haven't used add-ons much in the past, give them a try. Beyond just shopping, add-ons are one of the great ways to unlock more power in Firefox. And when it comes to getting all that shopping done, more power to you means more time to enjoy and less to stress! Firefox is fast for good, after all.

And, Honey, which is a featured extension, is not the only recommended one with super powers. Amazon Assistant for Firefox not only want to "Access your data for all websites" but all wants to "Read and modify bookmarks" and "Monitor extension usage and manage themes. YIKES! In the past, Firefox was promoted based on privacy. Clearly, those days are over. Now, like routers, it is marketed based on speed.

- - - - - - - - - - - - - - - - - - -
UPDATES: November 27, 2017.

To see the installed extensions in both Chrome and Opera, type the URL below in the address bar
To see the installed extensions in Firefox, type the URL below in the address bar

CNET also promoted the Honey browser extension with no mention of privacy dangers.
Use Honey to save money on Amazon purchases by Rick Broida June 22, 2016
Quoting: Honey is a popular tool that can automatically dig up and apply coupon codes for thousands of online stores ... Honey is available for all major browsers (except Edge and Internet Explorer), and there's no charge to use it. Even if it saves you only a few bucks here and there, it does so quickly and easily. Seems like a no-brainer add-on to me!

How the mighty have fallen. Consumer Reports also endorses the Honey extension without mentioning the potential security issues.
Consumer Reports: Online shopping strategies to save money November 27, 2017
Quoting: Another free browser extension, Honey, sweetens your discount at checkout, automatically. "As long as you're shopping at one of the participating stores, Honey goes out and Honey finds discount codes for you and enters them automatically, when you check out," said Consumer Reports Money Editor Nikhil Hutheesing.

Original Story

NBC News promotes the Honey browser extension that can spy on you

November 26, 2017

Don't take computer advice from a business person, any more that you would take business advice from a computer nerd.

I mention this because of a report on NBC news tonight. The report was a seasonally mandatory one about shopping and retailing. It ended with Jo Ling Kent, an NBC Business correspondent, offering money saving tips from un-named "experts." One of her tips was to install the Honey web browser extension.

What is Honey? According to the people that wrote it, "Honey is a service that makes it ridiculously easy to save money and time. Honey automatically finds coupon codes for the site you're shopping at and applies them to your order when you check out, saving you money and coupon searching time."

This blog exists as a warning that the Honey browser extension can spy on every web page you see. And, secure (HTTPS) websites do not protect you from spying by web browser extensions. I am not claiming that it does spy on you. But it can.

Before installing Honey in Google's Chrome browser, you are warned (below) that it can "Read and change all your data on the websites you visit." By "data", Google means the entire web page.

Before installing Honey in Firefox, you are warned that Honey requires permission to "Access your data for all websites" and "Store unlimited amount of client-side data."

Opera also warns about Honey, saying "This extension can access your data on all websites."

There was no warning from Ms. Kent however. She said: "You might want to install an internet extension, on your internet browser, something like Honey. It can actually scour the internet for you to make sure you've got those coupons [un-intelligible] you might not even know about right now."

Again, don't let the term "data" in the above warnings fool you. If you do on-line banking, the makers of the Honey extension can, in theory, see how much money you have in the bank. No hacking needed, they were given permission when the browser extension was installed.

What are they doing? If you are willing to take total strangers at their word these days, then review their Terms of Use and their Privacy Policy. Think "total strangers" was harsh? Nowhere on the JoinHoney.com site do the developers of the Honey extension say who they are.

And, even if they are not doing any data collection other than what they claim today, their policy may change in the future. Or, the extension might be sold to someone else in the future. It has happened before. Heck, if I ran a spy agency, I would make them an offer they can't refuse. For a spy agency, a browser extension would be a perfect cover. Carte Blanche to spy on folks.

I have written about web browser extensions that can (not saying they are) spy on you before. See President Bannon Chrome Extension is a security problem, not a joke (February 2017) and Spyware on a Chromebook (January 2017).

For whatever reason, business people are more prone to offering computer advice than us nerds are to offering business advice.

- - - - - - - - - - - - - - - - - -
Note: All the browser screen shots were taken on Windows 7. The Firefox screen shot is from the just-released version 57.



 @defensivecomput TOP Home => NBC News promotes a web browser extension that can spy on you   
 michael--at--michaelhorowitz.com   Last Updated: October 1, 2021 3 PM  
  License Plate
Copyright 2001-2024
Copyright 2001-2024  
Printed at:   July 19, 2024 3:18pm   ET
Viewed 88,881 times since November 27, 2017 (37/day over 2,427 days)