Amazon's Assistant browser extension can be used to track everything you do on the web and can even change the content of non-Amazon web pages displayed in your browser, says a prominent web-browser expert.
Wladimir Palant, a Germany-based coder whose company maintains the Adblock Plus extension, argued in a blog post yesterday (March 8) that Amazon Assistant has so much power that it could be used "to get full information on the user's browsing behavior, extract information about accounts they are logged into and even manipulate websites in an almost arbitrary way."
Palant made very clear that there's no evidence that Amazon is actually doing any of this. But he said the extension has so many privileges, and is designed so that Amazon could change the extension's abilities at any time without formal updates, that it's something worth worrying about.
"I was astonished to discover that Amazon built the perfect machinery to let them track any Amazon Assistant user or all of them: what they view and for how long, what they search on the web, what accounts they are logged into and more," wrote Palant.
"Amazon could also mess with the web experience at will and, for example, hijack competitors' web shops."
What Amazon Assistant does
Amazon Assistant is available for Chrome, Edge, Firefox, Opera and browsers compatible with those. It's got more than 7 million installations in Chrome and nearly half a million in Firefox, and there is also an Android app. Palant estimates that the browser extensions may have more than 10 million users overall.
The goal of the Amazon Assistant extension is simple price comparison. When you're shopping online, or at least browsing for items you might buy, Amazon Assistant can tell you how much an item costs on Amazon.
The extension also lets you see whether an item's price has changed on Amazon, add items to your Amazon wish lists and registries, sign up for Amazon deal alerts and get shipping updates on items you've ordered from Amazon.
"Even if you log out of Amazon and clear your [browser] cookies, this identifier will persist and allow Amazon to connect your activity to your identity." - Wladimir Palant
In order to compare prices, however, Amazon Assistant has to "see" what's on other websites' pages. To give you alerts, it needs the ability to put pop-out windows over other sites’ pages.
The Amazon Assistant privacy notice also states that "Amazon Assistant collects and processes browsing information" and, if you choose to "interact with Amazon Assistant", then the extension "connect browsing information with your Amazon Account."
So far, this is all stuff that Amazon is clear about, although it's enough to have raised some privacy red flags in the past few years. But Palant dug into Amazon Assistant's code and found other things that might be even more alarming.
What Amazon Assistant could do
Each installation of Amazon Assistant in a web browser is given a unique ID, Palant said. That makes sense as the extension is tied to your Amazon account, but Palant notes that "even if you log out of Amazon and clear your [browser] cookies, this identifier will persist and allow Amazon to connect your activity to your identity."
He also discovered that the extension is allowed to access tracking cookies and other types cookies on any website, not just Amazon-owned sites. This goes beyond what is necessary to track just Amazon cookies. And in Firefox (but not Chrome), Palant said Amazon Assistant has the power to manage, access and even uninstall other extensions.
Palant says he found something strange: Amazon Assistant loads processes from at least nine other Amazon websites.
Some of these processes are pretty powerful. They can open and close new browser tabs, get any site's cookies, access other extensions' storage and settings, inject code into any website displayed in any open tab, create items on any open tab, change the presentation of information in any open tab, and get data from any open tab.
For example, Amazon Assistant could add Amazon items to a rival retailer's shopping page displayed in the user's browser. There's no evidence this is actually being done, but the ability is there.
The odd thing, Palant says, is that it would have been just as easy to embed these processes directly into Amazon Assistant's code. They're just static JavaScript files.
But because these remote processes are not in Assistant itself, their code can be changed without updating the Assistant extension, and without either the end user or the browser developer — Google, Microsoft or Mozilla — noticing.
"There is no way of knowing that it is always the same code," Palant wrote. He pointed out that there are already different back-end Assistant code repositories for different languages.
Palant said that, given the unique ID each installation of Amazon Assistant gets, that Amazon could serve up custom JavaScript for a specific user. That user's version of Amazon Assistant could have special abilities that other installations of Assistant don't have.
"If Amazon is spying on a subgroup of their users (be it out of their accord or on behalf of some government agency), this attack would be almost impossible to detect," Palant wrote.
Should you use Amazon Assistant?
So should you use Amazon Assistant? If you're a heavy Amazon shopper, and especially if you get free shipping through Amazon Prime, the convenience is pretty hard to resist.
But Google already gives you a gamut of prices if you just type in a product name; CamelCamelCamel tracks Amazon prices changes; and Amazon itself lets you easily track shipments and add items to a list.
Again, there's no evidence that Amazon Assistant is doing anything beyond what its privacy policy states. It's just that the extension could do so much more.
Tom's Guide has reached out to Amazon for comment, and we will update this story when we receive a reply.
