The Chromium-based, privacy-minded web browser Brave has been accused of deceiving users by autocompleting typed-in URLs for cryptocurrency companies to versions of the URLs from which it gains affiliate revenue.
This is despite the fact that Brave positions itself as a "secure, fast and private web browser" that blocks "data-grabbing ads" and trackers.
- Best VPN: keep your private data private with a VPN
- Antivirus: keep protected when online with the best software
- Just in: Federal agencies hit by fewer cyberattacks in 2019
According to a report by Decrypt (opens in new tab), the browser failed to notify its 15 million users that it may use the browser-based URL-autocomplete function to steer user to affiliate links.
The alleged deception was originally unearthed on Twitter by user Yannick Eckl, who said that he learnt that the the URL for cryptocurrency exchange Binance autocompleted to an affiliate link despite his not being made aware of this practice.
He tweeted: “So when you are using the @brave browser and type in "binance[.]us" you end up getting redirected to "binance[.]us/en?ref=35089877" - I see what you did there mates”.
So when you are using the @brave browser and type in "binance[.]us" you end up getting redirected to "binance[.]us/en?ref=35089877" - I see what you did there mates 😂June 6, 2020
But the redirect links didn’t stop there. Dimitar Dinev, managing director of JRR crypto, and cryptocurrency reporter Larry Cermak found similar autocomplete functions leading to affiliate links on websites such as Coinbase, Trezor and Ledger.
Looks like it’s not a very isolated mistake. Brave also does this for Ledger, Trezor and Coinbase if you look in their Github https://t.co/8PpnlS5jAu https://t.co/JGQ7d23fer pic.twitter.com/keorBZiDJLJune 6, 2020
In a series of tweets, Brave Software CEO Brendan Eich apologised for the issue.
According to one of the tweets: “The autocomplete default was inspired by search query clientid attribution that all browsers do, but unlike keyword queries, a typed-in URL should go to the domain named, without any additions. Sorry for this mistake — we are clearly not perfect, but we correct course quickly.”
However, Eich explained the reasoning behind the links: “With Brave, we're trying to build a viable business that puts users first by aligning interests via private ads that pay user >= what we make on fixed fee schedule, no browser data in the clear on any of our servers, and so on. But we seek skin-in-game affiliate revenue too.
“This includes bringing new users to Binance & other exchanges via opt-in trading widgets/other UX that preserves privacy prior to opt-in. It includes search revenue deals, as all major browsers do. When we do this well, it's a win for all parties. Our users want Brave to live.”
1/ We made a mistake, we're correcting: Brave default autocompletes verbatim "https://t.co/hJd0ePInEw" in address bar to add an affiliate code. We are a Binance affiliate, we refer users via the opt-in trading widget on the new tab page, but autocomplete should not add any code.June 6, 2020
He left Mozilla in 2014 after his past donations to political campaigns opposing the legalization of same-sex marriage became publicized, and founded Brave Software.
- Online security without the cost - see the best free VPN services