Amazon's official shopping support extension, Amazon Assistant, allows Amazon to track every move a user has on the web.



Amazon has released 'Amazon Assistant ' as an extension to support users' online shopping and is actively promoting this tool. Amazon Assistant is a handy tool that compares prices between Amazon and other shopping sites and notifies you of the arrival date and time of ordered items, but 'Through Amazon Assistant, Amazon tracks every activity on the user's web. You can do it, 'a security researcher points out.

How Amazon Assistant lets Amazon track your every move on the web | Almost Secure
https://palant.info/2021/03/08/how-amazon-assistant-lets-amazon-track-your-every-move-on-the-web/

Amazon Assistant is an extension provided for various web browsers such as Firefox, Chrome, Opera and Edge. No detailed numbers have been released, but security researcher Vladimir Palante points out that the combined number of Amazon assistant users exceeds 10 million for all browsers.



The Amazon Assistant is basically an extension that allows

you to track your orders on Amazon and manage your wishlist. You can also add items found on non-Amazon websites to your wishlist, and check how much you can buy if you buy on Amazon.



When Palante analyzed the Amazon Assistant's code, the extension did everything: what the user was viewing, how long the page was displayed, what was searched on the web, what account was logged in, and so on. It seems that it became clear that it is possible to track the operation. Also, even if the user logs out of the Amazon account or deletes the cookie, it seems that once logged in, the user ID and the action taken by the user on the web can be linked and memorized.

Amazon Assistant also gives you access to cookies on any website stored by your browser. However, at the time of writing the article, the Amazon assistant is accessing the cookie only 'to recognize that the user has logged in'.

Even stranger, it seems that only the Firefox version of Amazon Assistant is designed to give access to other extensions. This also allows the Firefox version of Amazon Assistant to uninstall other extensions in theory.

'It's not uncommon for extensions to require widespread privileges. Extensions that require unused privileges are not uncommon, but Google has unnecessarily widespread privileges in its

Chrome Web Store policy. We explicitly prohibit requests, and even more unusually, almost all of the privileges required by Amazon Assistants have been transferred to Amazon Web Services (AWS). '



The APIs that Amazon Assistant allows to AWS are as follows.

· GetPlatformInfo: Get information about extensions and supported features
・ GetFeatureList: Same as above
-OpenNewTab: Pops up the page in a new tab without being affected by the pop-up blocker
-RemoveTab: Closes the specified tab
・ GetCookieInfo: Get cookies for any website
・ BulkGetCookieInfo: Same as above
-CreateDesktopNotification: Display desktop notification
· CreateContextMenuItem: Manage extension context menu items
-DeleteAllContextMenuItems: Same as above
-DeleteContextMenuItemById: Same as above
-RenderButtonText: Display 'badge' on extension icon
· GetStorageValue: Access extended storage / settings
・ PutStorageValue: Same as above
・ DeleteStorageValue: Same as above
・ SetPlatformCoreInfo: Same as above
-ClearPlatformInfoCache: Same as above
・ UpdatePlatformLocale: Same as above
・ IsTOUAccepted: Same as above
・ AcceptTermsOfUse: Same as above
・ SetSmileMode: Same as above
・ SetLocale: Same as above
・ HandleLegacyExternalMessage: Same as above
-GetActiveTabInfo: Get information about tabs (tab ID, title, address)
-CreateSandbox: Insert a frame (arbitrary address) into any tab and communicate
・ CreateLocalSandbox: Same as above
・ CreateSandboxById: Same as above
・ ModifySandbox: Same as above
・ ShowSandbox: Same as above
・ SendMessageToSandbox: Same as above
・ InstrumentSandbox: Same as above
・ GetSandboxAttribute: Same as above
・ DestroySandbox: Same as above
· Srape: Extract data from any tab using various methods
・ ListenerSpecificationScrape: Same as above
・ GetPageReferrer: Same as above
・ GetPagePerformanceTimingData: Same as above
・ GetPageLocationData: Same as above
・ GetPageDimensionData: Same as above
・ GetUWLItem: Same as above
· RegisterAction: Listen for events for specific elements on any tab
・ DeregisterAction: Same as above
-ApplyStyle: Set CSS style for a specific element of any tab
・ ResetStyle: Same as above
-InstrumentWebpage: Query information about the page in any tab, click an element, send input, send keydown event
-CreateElement: Create an element in any tab with the specified ID, class and style
· ClosePanel: Closes the extension drop-down panel
· ReloadExtension: Update extensions and install pending updates

Shopping support extensions that work in the same way have been found on other shopping sites and require extensive permissions like the Amazon Assistant. Therefore, installing shopping support extensions generally puts your privacy at risk.

However, Palante points out that this privacy crisis is inevitable, and will try to simplify the code and improve performance by removing some JavaScript files and removing unnecessary features. I wrote that I can do it.

'It's justified because it's needed to make changes faster,' Palante said, in that shopping support extensions like the Amazon Assistant were designed to give you a lot of extra privileges in vain. Pointed out. In fact, five of the nine components that make up an extension have been left updated 5-6 months ago, and only two have been updated within two weeks.

In addition, Mr. Palante wrote that not all the code analysis of Amazon Assistant was completed, and at the time of writing the article, it can be confirmed that only the domain name of the visited page is transferred, not the address of the website visited by the user. Said that.



Amazon Assistant requires various permissions on your web browser. It's the same as many extensions in itself, but Palante points out that it's unique in that it provides AWS with access to privileges. In the worst case, the privileges provided to AWS put Amazon users at risk of tracking all their actions on the web and extracting account-related information.

At the time of writing the article, it seems that Amazon has not confirmed that it is tracking more than specified in the privacy policy, but 'We guarantee that this situation will continue because web content is dynamic. There is no way, 'says Palante. He also points out that even if Amazon uses the Amazon Assistant to spy on users, it is difficult to detect.

Finally, Palante pointed out that extensions that require a wide range of privileges, such as Amazon Assistant, are banned in Firefox and Opera, and can be a policy violation in Chrome and Edge.

in Software, Posted by logu_ii