from Hacker News

Amazon Assistant lets Amazon track your every move on the web

by staktrace on 3/8/21, 1:06 PM with 63 comments

  • by ctvo on 3/9/21, 12:49 AM

    Excellent article by the author.

    The subtle point of delegating everything to remote services is your user doesn't need to know when you've modify behavior. If Amazon were to bundle the content, you'd need to explicitly update your extension.

    You're delegating to Amazon that they'll continue to respect your privacy (no claims were made they weren't), but also their systems are secure, and will continue to be. This is too much trust to give any entity. No thanks.

    From Amazon's perspective, they probably have more than one team working on the extension. A coordinated deployment process at scale is painful. Allowing each team to deploy to its own endpoint and communicate with other components via message passing (events) is exactly how you'd expect a company that grew up on SOA to design.

  • by TedDoesntTalk on 3/8/21, 10:07 PM

    > Putting these JavaScript files into the extension would have been possible with almost no code changes

    The AMO team at Firefox used to outright ban addons with remote script injection. I guess it matters who you are -- like on the Apple App Store, big names just need to pull the right strings or call the right people for a free pass. Rules are not applied equally. The playing field is NOT level.

  • by pkaye on 3/8/21, 7:14 PM

    The assistant should play the tune of "Every Breath You Take" by The Police when its doing this.

  • by antattack on 3/8/21, 7:29 PM

    Seems to me that browser extensions need better access control. Why isn't it possible to restrict it to just amazon.com itself, for example?

  • by drewda on 3/8/21, 8:32 PM

    Wasn't this the shtick of the "toolbar" plugins offered by AOL, Yahoo, and even Google at one point over the years?

  • by mgdev on 3/9/21, 5:31 AM

    I designed this. I won't speak to any past or current practices, but I will say this: Amazon is obsessive about protecting customer privacy.

  • by tobib on 3/9/21, 5:58 AM

    Oh my. Who in their right mind would install that?!

    I just setup pihole today because it's so difficult to avoid being spied on wherever you go.

  • by unhba on 3/8/21, 11:49 PM

    It will be interesting to see how the developers of this extension respond to Google’s roll out of extensions Manifest V3 - the new specification could almost be directly targeting them: with service worker replacing background script there will no longer be a concealed window to mount those iframes. Thanks to the author for this write-up

  • by propogandist on 3/9/21, 3:39 AM

    here's a campaign [1] where Amazon was paying $5 credit to get this spyware installed on the browser. These campaigns have been going on for years.

    [1] https://slickdeals.net/e/14668013-select-amazon-member-earn-...

  • by EastSmith on 3/9/21, 12:45 AM

    Is there a need for iframes to exists today? Can we somehow block them?

  • by joshgoldman on 3/9/21, 1:05 AM

    This place is becoming like Reddit with the conspiracy theories

  • by kevinsundar on 3/8/21, 8:22 PM

    This is clickbait. The authors argument is that the extension has enough privileges to track you, not that it actually does.

    For example, uBlock Origin has similar privileges but I doubt the author would bat an eye.

    EDIT: I take back my comment :)

  • by KoftaBob on 3/8/21, 6:15 PM

    "Still, I was astonished to discover that Amazon built the perfect machinery to let them track any Amazon Assistant user or all of them: what they view and for how long, what they search on the web, what accounts they are logged into and more.

    Amazon could also mess with the web experience at will and for example hijack competitors’ web shops. Amazon Assistant log with a borg eye Image credits: Amazon, nicubunu, OpenClipart

    Mind you, I’m not saying that Amazon is currently doing any of this."

    This goes for any browser extension you install if you don't limit which websites it's allowed to read data from.

    In both the title and beginning paragraph, the author essentially describes the privacy risks that would apply to any browser extension, but words it in a way that implies Amazon is actively abusing those privacy holes, before finding any evidence for it.

    I really wish people would stop giving views to blatantly manipulative and slimy clickbait like this.