
Amazon says browser extension Honey is a security risk, now that PayPal owns it - amelius
https://www.theverge.com/2020/1/9/21059083/amazon-honey-browser-extension-security-risk-paypal-acquisition-competition
======
throwGuardian
In other Amazon press releases:

1\. Disabling Amazon's deep integration into Ubuntu's desktop search, is a
security risk.

2\. Android tablets that are not Amazon Fire are security risks

3\. The reall MongoDb, if self hosted or hosted by Mongo/Atlas is a security
risk, now that AWS provides it's own managed version

4\. Using the "one-click" patented workflow on any other site than Amazon, is
a security risk

------
WorldMaker
As a sometimes paranoid person, the huge list of permissions that Honey asked
for as a browser extension has always smelled to me like a privacy/security
risk, regardless of owner.

 _Maybe_ the timing is suspicious on Amazon's part, but it does seem like a
useful PSA as worded.

~~~
lsiebert
They make their money from commissions, not ads or personal data.

They've been audited by at least one security firm per the article, and their
privacy policy
[https://www.joinhoney.com/privacy](https://www.joinhoney.com/privacy) says
"We do not sell your personal information. Ever."

Anyway they only have one permission on firefox and the usage for that
permission Mozilla mentions is exactly what they do.
[https://support.mozilla.org/en-US/kb/permission-request-
mess...](https://support.mozilla.org/en-US/kb/permission-request-messages-
firefox-extensions?as=u&utm_source=inproduct#w_access-your-data-for-all-
websites)

~~~
WorldMaker
I only saw the Chrome permissions because Edge shares the same permission
model (even pre-Edgmium Edge / "Edge Classic"). I also may have seen it early
in its history as well, as I recall looking at it on a "Is this spyware?" ask
from a presumably very early adopter.

That said, even if it is the example use case for that lone Firefox
permission, that's a hugely broad permission and I'd be hesitant with any
extension that asked for it.

As for security audits and privacy policies, I'd be concerned if they didn't
do their diligence on that front. It doesn't impact my paranoid skepticism of
a startup one bad/dumb pivot away from changing their minds and injecting ads
or selling personal data because their business model wasn't working. At least
on that side of the equation, PayPal buying them does possibly increase some
trust measures with the company as it should be less likely that PayPal would
allow such a pivot. (Though PayPal themselves don't have a history of being
the best stewards of their ancillary products, and healthy skepticism there
abounds as well.)

