Amazon Assistant browser extension is built to spy on you, web expert says

Amazon Assistant extension spying
(Image credit: Shutterstock)

Amazon's Assistant browser extension can be used to track everything you do on the web and can even change the content of non-Amazon web pages displayed in your browser, says a prominent web-browser expert.

Wladimir Palant, a Germany-based coder whose company maintains the Adblock Plus extension, argued in a blog post yesterday (March 8) that Amazon Assistant has so much power that it could be used "to get full information on the user's browsing behavior, extract information about accounts they are logged into and even manipulate websites in an almost arbitrary way." 

Palant made very clear that there's no evidence that Amazon is actually doing any of this. But he said the extension has so many privileges, and is designed so that Amazon could change the extension's abilities at any time without formal updates, that it's something worth worrying about.

"I was astonished to discover that Amazon built the perfect machinery to let them track any Amazon Assistant user or all of them: what they view and for how long, what they search on the web, what accounts they are logged into and more," wrote Palant. 

"Amazon could also mess with the web experience at will and, for example, hijack competitors' web shops."

What Amazon Assistant does

Amazon Assistant is available for Chrome, Edge, Firefox, Opera and browsers compatible with those. It's got more than 7 million installations in Chrome and nearly half a million in Firefox, and there is also an Android app. Palant estimates that the browser extensions may have more than 10 million users overall.

The goal of the Amazon Assistant extension is simple price comparison. When you're shopping online, or at least browsing for items you might buy, Amazon Assistant can tell you how much an item costs on Amazon. 

The extension also lets you see whether an item's price has changed on Amazon, add items to your Amazon wish lists and registries, sign up for Amazon deal alerts and get shipping updates on items you've ordered from Amazon. 

"Even if you log out of Amazon and clear your [browser] cookies, this identifier will persist and allow Amazon to connect your activity to your identity." - Wladimir Palant

In order to compare prices, however, Amazon Assistant has to "see" what's on other websites' pages. To give you alerts, it needs the ability to put pop-out windows over other sites’ pages.

The Amazon Assistant privacy notice also states that "Amazon Assistant collects and processes browsing information" and, if you choose to "interact with Amazon Assistant", then the extension "connect browsing information with your Amazon Account."

So far, this is all stuff that Amazon is clear about, although it's enough to have raised some privacy red flags in the past few years. But Palant dug into Amazon Assistant's code and found other things that might be even more alarming. 

What Amazon Assistant could do

Each installation of Amazon Assistant in a web browser is given a unique ID, Palant said. That makes sense as the extension is tied to your Amazon account, but Palant notes that "even if you log out of Amazon and clear your [browser] cookies, this identifier will persist and allow Amazon to connect your activity to your identity."

He also discovered that the extension is allowed to access tracking cookies and other types cookies on any website, not just Amazon-owned sites. This goes beyond what is necessary to track just Amazon cookies. And in Firefox (but not Chrome), Palant said Amazon Assistant has the power to manage, access and even uninstall other extensions. 

Palant says he found something strange: Amazon Assistant loads processes from at least nine other Amazon websites. 

Some of these processes are pretty powerful. They can open and close new browser tabs, get any site's cookies, access other extensions' storage and settings, inject code into any website displayed in any open tab, create items on any open tab, change the presentation of information in any open tab, and get data from any open tab. 

For example, Amazon Assistant could add Amazon items to a rival retailer's shopping page displayed in the user's browser. There's no evidence this is actually being done, but the ability is there.

The odd thing, Palant says, is that it would have been just as easy to embed these processes directly into Amazon Assistant's code. They're just static JavaScript files.

But because these remote processes are not in Assistant itself, their code can be changed without updating the Assistant extension, and without either the end user or the browser developer — Google, Microsoft or Mozilla — noticing. 

"There is no way of knowing that it is always the same code," Palant wrote. He pointed out that there are already different back-end Assistant code repositories for different languages.

Palant said that, given the unique ID each installation of Amazon Assistant gets, that Amazon could serve up custom JavaScript for a specific user. That user's version of Amazon Assistant could have special abilities that other installations of Assistant don't have.

"If Amazon is spying on a subgroup of their users (be it out of their accord or on behalf of some government agency), this attack would be almost impossible to detect," Palant wrote.

Should you use Amazon Assistant?

So should you use Amazon Assistant? If you're a heavy Amazon shopper, and especially if you get free shipping through Amazon Prime, the convenience is pretty hard to resist. 

But Google already gives you a gamut of prices if you just type in a product name; CamelCamelCamel tracks Amazon prices changes; and Amazon itself lets you easily track shipments and add items to a list. 

Again, there's no evidence that Amazon Assistant is doing anything beyond what its privacy policy states. It's just that the extension could do so much more.

Tom's Guide has reached out to Amazon for comment, and we will update this story when we receive a reply.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
A honey logo and MKBHD side-by-side
Honey extension accused of scamming millions and content creators — should you delete it now?
and image of the Google Chrome logo on a laptop
Over 600,000 Chrome users at risk after 16 browser extensions compromised by hackers — what you need to know
and image of the Google Chrome logo on a laptop
Popular Chrome extensions hijacked by hackers in widespread cyberattack — 3.2 million at risk
Logos of Amazon, Google, and Apple
TikTok, Google, Amazon, Apple – which is worst for data privacy?
and image of the Google Chrome logo on a laptop
Google Chrome at risk from shape-shifting browser extensions — how to stay safe
DeepSeek logo on mobile phone
Is DeepSeek safe to use?
Latest in Online Security
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
Latest in News
Nintendo Switch 2
Nintendo Switch 2 rumored specs — here’s what we know so far
iPhone 17 Pro render
iPhone 17 Pro — 7 biggest rumored upgrades
CAD renderings of the Google Pixel 10 Pro XL
Pixel 10 leak could be good news for all Android phones
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
Lewis Hamilton of Great Britain and Scuderia Ferrari looks on during Sprint Qualifying ahead of the F1 Grand Prix of China at Shanghai International Circuit in Shanghai, China, on March 21, 2025. (Photo by Song Haiyuan/Paddocker/NurPhoto via Getty Images)
How to watch Chinese Grand Prix 2025 online – stream F1 without cable, qualifying highlights
NYTimes Connections
NYT Connections today hints and answers — Saturday, March 22 (#650)
  • marathonred
    @snd_wagenseil. Re: Amazon Assistant. So it's been 18 months and Amazon hasn't replied to your question?
    Reply