Keepa extension is deceptively scraping Amazon in the background

[avm99963]

Hi all,

While debugging some network requests in my PC with Mitmproxy, I saw that some software in my PC was making random requests to Amazon not related to any Amazon product I visited nor I'm interested in. It was also impersonating being an Android device in the user agent.

After exporting a netlog with Chrome, I found that these reqeuests are actually made by the Keepa extension:

Nowhere in their privacy policy did I find any mention of this behavior, and it isn't explicit either in the privacy practices section of the CWS listing.

According to the CWS Program Policies, one of the principles is "Be Honest", something that this extension is clearly violating.

Specifically, the extension is violating the following policy sections (without being exhaustive):

• "Protecting User Privacy": the privacy policy is not accurate.
• "Misleading or Unexpected Behavior": nowhere it is mentioned that the extension will collect random information from Amazon using my browser, and send it back to Keepa. I did not consent to be part of a botnet, since the single purpose of the extension is not this one, and this comes as unexpected. Being part of a botnet should at least be opt-in, not forced on extension users.

For more information on these bad practices of the Keepa extension, I found an excellent 4-year-old write-up: https://palant.info/2021/08/02/data-exfiltration-in-keepa-price-tracker/

What do you think is the most effective way to report this extension? The "report" feature in the CWS listing page doesn't have an appropriate reason for reporting this, and I don't think I should be reporting this as illegal content. I think for now I'll report it with the One Stop Support form.

Anyways, I wanted to publish this thread to shed some light on these bad practices. As an extension developer who advocates for user privacy, it's sad to see this, and I'd love that Keepa remediated this issue. I feel so deceived!

Thanks in advance, and have a wonderful weekend!

PS: This is one of the few messages I've posted to the group, but I'm reading you regularly. Thanks for the insightful conversations and the participation of Googlers and other very knowledgeable external contributors! It's always a pleasure to read you :)

---

Adrià Vilanova Martínez (@avm99963)

[Oliver Dunk]

Hi,

Thanks for the kind words about the mailing list!

For situations like this, opening a case with One Stop Support is a good option. That will be routed to the right team and they can take a look.

For this specific item, I also read the palant.info blog and so generally we have seen any reports there. I can't really comment beyond that but I will make sure the team sees your post here.

Thanks again for the report, and have a great weekend.

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/9d43aa7d-3a69-46f7-a281-8f713860aab7n%40chromium.org.