Skip to main content

Amazon suspiciously says browser extension Honey is a security risk, now that PayPal owns it

Amazon suspiciously says browser extension Honey is a security risk, now that PayPal owns it


The timing is suspect, and Honey is pushing back

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Just weeks after PayPal acquired popular coupon-finding browser extension Honey in November 2019 for $4 billion, Amazon shoppers were served a notification that the extension was a security risk. The security warning was first spotted by Politico editor Ryan Hutchins, and the timing of the message, as a Wired report points out, is suspect. Honey has been compatible with Amazon for years, so why was the retailer suddenly labeling it as malware at the height of holiday shopping season?

A free extension for browsers like Chrome, Firefox, and Safari, Honey scours the web for coupon codes and automatically applies them to shoppers’ orders. It also tracks prices for individual items which is especially helpful for sites like Amazon, where prices are constantly fluctuating, and multiple listings with different prices exist for the same item. So it seems especially strange that Amazon would suddenly discourage customers from using a tool that incentivizes shoppers to buy from its site.

First spotted on December 20th, the warning read, “Honey’s browser extension is a security risk. Honey tracks your private shopping behavior, collects data like your order history and items saved, and can read or change any of your data on any website you visit. To keep your data private and secure, uninstall this extension immediately.”

While the statement is technically true, it’s also true of many browser extensions. And though Honey does collect data, it’s data used for its own service, like which recent coupon codes worked on what sites. In the company’s Privacy and Security policy (which users consent to before they use the service), it states that Honey doesn’t sell personal information, nor does it track search engine history, emails, or browsing data on any non-retail site.

Amazon declined to comment further on why it deemed Honey a security risk

“Our goal is to warn customers about browser extensions that collect personal shopping data without their knowledge or consent,” an Amazon spokesperson told The Verge, but declined to comment further on why it deemed Honey a security risk and the timing behind its decision to do so.

Honey says it works with security firms to regularly assess the service. A cybersecurity firm did find a vulnerability that exposed user information in the extension last summer, but it was patched quickly. “We only use data in ways that directly benefit Honey members — helping people save money and time — and in ways they would expect,” a Honey spokesperson told Wired. “Our commitment is clearly spelled out in our privacy and security policy.”

With PayPal paying $4 billion in its largest acquisition ever for Honey, it’s possible that Amazon is feeling threatened by the extension being owned by a competitor in the e-commerce space. Both Amazon and PayPal compete as online payment processors, and Honey’s primary business model involves charging retailers, like Amazon, a percentage of sales made with the online coupons it finds and serves automatically to users.