As far as I know they steal cookies but don’t change the URL.
Also, I think the bizarre market practice of “last click takes attribution” seems to be also common in EU.
Unfortunately just because it’s shady doesn’t make it immediately illegal even here in EU.
And the response from PayPal Honey shows they want to fight it in court. Which don’t think they would do if they thought it would have been considered highly illegal.
They found a loophole and abused it to steal creators (and users).
I just checked the original video. It works a little bit differently than plain URL replacement. They open another tab in the background and then send a manipulated URL to get the affiliate cookie set to their own. Guess it’s for the courts to decide if that is a legal practice or not. But to me it seems that the malicious extension sends a manipulated URL to the server pretending to do that on user’s behalf, without his knowledge. That is classic malware behavior.
Realistically most extensions open many links in the background. Even a simple adblocker will “open links” or URLs in the background to perform updates of lists etc.
The difference here is the malware was installed by the user after accepting a user agreement that probably covers network use…
Also they hijack the affiliation when the users interact with the extension and not with the website where the link for the product is.
I doubt honestly this will be a good angle to attack Honey.
IMO the fact that users are told that the best coupon will be used even though it’s demonstrably not true is a much more provable issue.
Especially since the extension opens a tab for an instant makes me think they didn’t really try to be super super sneaky.
Based on the MegaLag video, it looked like they’re opening a new tab with their own affiliate link, preserving cookies to ensure checkout can complete, then closing the original affiliate link tab.
Among other accusations, MegaLag said that if a YouTuber or other creator promotes a product through an affiliate link, if the viewer has installed Honey, the extension will surreptitiously substitute its own link when the viewer makes a purchase — even if Honey didn’t provide any discounts. That means Honey, not the creator, receives the affiliate revenue for the transaction.<<
That’s not what his video showed though. They don’t change the URL, they open another tab, which then overrides the cookie/session variable that is used to determine who the referrer is. It’s still scummy, but it doesn’t seem to be swapping links outright.
Are they modifying URLs?
As far as I know they steal cookies but don’t change the URL.
Also, I think the bizarre market practice of “last click takes attribution” seems to be also common in EU.
Unfortunately just because it’s shady doesn’t make it immediately illegal even here in EU.
And the response from PayPal Honey shows they want to fight it in court. Which don’t think they would do if they thought it would have been considered highly illegal.
They found a loophole and abused it to steal creators (and users).
I just checked the original video. It works a little bit differently than plain URL replacement. They open another tab in the background and then send a manipulated URL to get the affiliate cookie set to their own. Guess it’s for the courts to decide if that is a legal practice or not. But to me it seems that the malicious extension sends a manipulated URL to the server pretending to do that on user’s behalf, without his knowledge. That is classic malware behavior.
https://youtu.be/vc4yL3YTwWk?t=281
Realistically most extensions open many links in the background. Even a simple adblocker will “open links” or URLs in the background to perform updates of lists etc.
The difference here is the malware was installed by the user after accepting a user agreement that probably covers network use…
Also they hijack the affiliation when the users interact with the extension and not with the website where the link for the product is.
I doubt honestly this will be a good angle to attack Honey.
IMO the fact that users are told that the best coupon will be used even though it’s demonstrably not true is a much more provable issue.
Especially since the extension opens a tab for an instant makes me think they didn’t really try to be super super sneaky.
Based on the MegaLag video, it looked like they’re opening a new tab with their own affiliate link, preserving cookies to ensure checkout can complete, then closing the original affiliate link tab.
That’s not what his video showed though. They don’t change the URL, they open another tab, which then overrides the cookie/session variable that is used to determine who the referrer is. It’s still scummy, but it doesn’t seem to be swapping links outright.