I am one of the developers of Honey, a popular Chrome extension with 700K+ users. Over the past year we've been approached by malware companies that have tried to buy the extension, data collection companies that have tried to buy user data, and adware companies that have tried to partner with us. We turned them all down.

It looks like there's a lot of concern about browser extension privacy and security today so we're here to answer your questions.


Comments: 2155 • Responses: 49  • Date: 

Mr_Anderssen1366 karma

Name and shame em!

gemusan1793 karma

These are shadowy companies that use aliases and shell companies to contact us. Naming them will have no effect. This is what keeps them safe.

mynewaccount51424 karma

Malware inc

gemusan869 karma

In a world where companies give themselves honest names~

ovoKOS7781 karma

Yeah, we all know you guys aren't actually selling honey

Aren't you

gemusan1026 karma

Of course we sell Honey. Why else would we call ourselves Honey?

PM me your address and we'll send you a sampler kit!

Edit: This was a joke but I got a bunch of addresses. We're going to follow through and put some honey packages together. Sorry we can't afford to send them overseas because the shipping will kill us!

freckledbeast70 karma

OP you better deliver

gemusan81 karma

We will! Brb, going to go buy some Honey.

pie_now-7 karma

What do you have to show us that you received all these approaches by malware companies or data collection companies? How do you know they were malware companies? Did they say, "Hi, we're a malware company. Can we buy your shit?"

What were the data collection companys' names?

There's got to be some kind of paper trial trail.

Because all I'm seeing is a lot of BS and someone doing a marketing ploy right now.

Over on the right side, it says proof is required. In this case, in addition to proof of you being you, we need proof that this actually happened.

If you don't give that, then you or the mods need to remove this AMA.

Let's see those emails with the shadowy aliases. Naming them WILL have an effect. For US.

If you don't, again, I'll just chalk you up to another marketing ploy.

gemusan16 karma

I posted this lower down the thread but I'll post it here again:

If I point the finger at a specific company, we could get hit with a defamation lawsuit. Please understand that we're not an anonymous person on the internet and we can't get away with something like that.

The point of this AMA is to bring some transparency to the mechanics of how the whole "malware in extension" system works. It's far more useful than posting the names of a few non-public facing companies.

If the mods want to verify, I am happy to forward a few of the emails to them.

Viviparous-7 karma

These are shadowy companies that use aliases and shell companies to contact us. Naming them will have no effect. This is what keeps them safe.

Ugh. This AMA already reeks of fedoras

pie_now-6 karma

Ah, good. I am so glad I'm not going it alone, which often happens in thest type of situations. :)

"They are so shadowy, that's how they contact us. We look up at the ceiling and there are shadows there. The shadows move around into letters, and that way, we can understand these shadowy companies' communications."

Fucking douchebags.

Viviparous-2 karma

This AMA is not an AMA at all... it's blatantly exploiting the anti-malware sentiment to endorse the Honey app, all while posting circlejerk comments about shady corporations, Gandalf's beard, "not being shady" and "refusing to sell out."

I haven't seen a single insightful comment on the actual app or the business model for monetizing a "cracked" extension. This is a "Rampart" tier AMA and I can't believe people are lapping this up...

gemusan2 karma

How did you miss this?


Why don't you try to ask an insightful question? I promise I'll do my best to answer it.

GuruMeditationError-29 karma

So in other words you're just taking advantage of the situation to push your extension.

gemusan27 karma

This morning's post about malware companies buying extensions raised a lot of awareness and concern. However, the thread was filled with conjecture and misinformation. As a developer who has poured thousands of hours into building a legitimate extension, I don't want to see a few bad apples ruin it for the rest of us.

tdaun1063 karma

How do I know you are not actually a malware company that bought honey, and is using this AMA to trick people into downloading your extension and then infecting them with malware?

edit: fixed grammer

gemusan914 karma

That's pretty meta.

Well the team here at Honey isn't hard to find. You can find out who we are and where we live pretty easily. People running malware companies are not going to use their real identity.

LakersLady734 karma

We turned them all down.


I'm going to try it out just because you guys rock.

gemusan1425 karma

Haha I'm actually a little sad. We shouldn't be awesome because we refuse to be shady. That should be expected.

Gandalfs_Beard708 karma

Keep talking, the more you say, the more i like you.

gemusan807 karma

If you are as magnificent as Gandalf's beard, we should be BFFs.

AshKatchumawl655 karma

What are malware companies' motivations? As in, why install malware? What are they getting from buying an extension, and what will the malware do? In general terms, I mean.

gemusan951 karma

I'll give you more specific. Most are generating $ from advertising or data. Approaches I've seen include:

  • replace you default new tab contents their search
  • replace existing links with affiliate links
  • add new affiliate text links all over the place that look similar to the double underline ones used by some publishers
  • replace ads across the internet
  • generate phantom traffic to websites a user never sees (similar to botnet)
  • capture ALL browsing data including post data (many uses I could speculate on but wont get into here)

What do they offer an extension developer? Depends on the mix of where the users are but it easily adds up to a few cents per active user per day. Or they just buy the whole thing. Which makes you wonder how much more they are really making....


Favorite piece of malware?

gemusan1191 karma

Favorite piece of malware?

We were approached by a company that wanted us to replace all Google ads you see with their ads that look just like Google ads. You wouldn't be able to tell the difference. That one's pretty clever.


Something weird about me is that I have never clicked an ad on a website. Back when I first used the internet there was real danger that those ads were viruses and I was told by my dad not to even think if clicking them. I'm sure ad companies hate people like me.

gemusan405 karma

Bro, adblock.

AntipersonnelMime487 karma

What were these Malware Companies' method of contact? Email? Cold Calls?

If you actually spoke with one, did they sound 'Obviously Evil', or just 'Business Evil'?

gemusan812 karma

Usually start with an email and progress to a call. I've spoken to a few on the phone and they sound just like normal people proposing a business deal. I'm sure they've justified what they do in their own mind so they don't sound shifty or unsure at all. Mental gymnastics is an amazing thing.

this_sucks1121479 karma

What was the biggest offer you have had to try to buy you out?

gemusan856 karma

We didn't even entertain the concept of it so we never went far enough to get a price.

But the data collection company did throw a dollar figure our way. It's over 6 figures a month.

imscared6374 karma

And you said no? Why?

gemusan1514 karma

We believe Honey can become the de facto software that every online shopper use when they buy things online. That's a much larger opportunity and doing anything shady will kill that potential.

Also because we're not shady people. :)

iamredsmurf500 karma

I have a lot of respect for you guys turning down big bucks like that. Not everyone else does apparently. I get it. You see the bigger picture and dont want to make money off of people like that. Wish more people were like that. I never heard of your extension but it sounds great. Will download. How many people are on your team and was it a unanimous decision to turn it down?

gemusan501 karma

There are 6 of us right now. 2 full time and 4 part time. I guess like minds are attracted to each other because the decision was unanimous.

pasaroanth263 karma

I'm not shady either, but I'm also not gonna turn down 6 figures a month. Have them write a shitty contract, then use your coding skills to write a new extension that blocks that.

gemusan566 karma

LOL this is probably how antivirus companies got started.

vaskemaskine189 karma

I'm not gonna lie, if I made a free extension and got a 6-figure monthly offer to sell out, I'm taking it.

gemusan451 karma

It was tempting for sure because the data they wanted isn't personally identifiable and it's mainly for research purposes. But then again we all have skills that will make us a decent living if we wanted so our primary motivation for building Honey isn't money. It was an easy call to make.

Pro-Ambater216 karma

this is surprising.

If you have 700,000 users and the company offered $100,000 they would need to make 15c per user per month on average just to break even, Probably a whole lot more to make a profit.

1.2 million (could be a lot more depending on what the offer actually was) a year just to see what 700,000 people do online just sounds crazy to me.

gemusan464 karma

The detailed behavior of 700K people is worth a lot more than $1.2M a year. Think about Nielsen and how many people they collect data from. The data they own makes them a $17B company.

This is the type of data I'm talking about: http://en.wikipedia.org/wiki/Clickstream

From the wikipedia page: "Use of clickstream data can raise privacy concerns, especially since some Internet service providers have resorted to selling users' clickstream data as a way to enhance revenue. There are 10-12 companies that purchase this data, typically for about $0.40/month per user."

foodandart166 karma

Oh, don't you know it.

I've been in the Nielsen's now for 15 years - in their 'Homescan' survey which is now called the National Consumer Panel..these people know exactly what America buys, thinks and eats for breakfast.

Being in the survey for as long as I have, I've become REAL adept at avoiding a lot of the fads that are marketed to the public, though that's only as I see the questions related to the marketing of goods beforehand.

Omega-3's? Saw that 6 months before everyone started using it to pitch products. Gluten? Yup, knew that one was coming as well. Same for 'pro-biotics'.

It's all in the pipeline, all waiting to be launched by marketers.

One thing to note, that as we have, in the last 5 years really made an effort to move away from industrially produced food products and shift to second-hand goods, the survey questions have dropped off noticeably. What that tells me, is that NCP, which does aggregate and sell consumer data to the manufacturers, doesn't have any producers that are marketing towards the local, small markets or the downwardly-mobile.

I wonder how long before some concern tries to work out how to go after this segment of the population. Given the absolute shit state the economy is for the 90 million that have dropped out of the workforce, it's no small target for any business that can sell to this demographic.

The one thing I've learned in the 15 years in this survey is businesses are whores who'll do anything for customers, it won't be long before they start to show up and NCP starts sniffing around asking questions on their behalf.

gemusan104 karma

Damn this sounds fascinating as hell. You should do an AMA!

TheBeardedGM312 karma

How do you tell a malware company from a legitimate one?

gemusan474 karma

It's pretty easy to find the legitimate companies w/ a little Google-fu. We can also tell by looking at what they want us to do. Malware companies usually want to include their code in our extension and it's impossible to see what their code will do. Legitimate companies are ok with leaving us with the control.

Sometimes it's immediately obvious. Sometimes it takes a few exchanges to figure out what they are proposing. They also don't want to waste their time so they usually get to the point pretty quickly.

KommandantVideo193 karma

Has any company been so to the point as to just straight up say "Hey, can we put some of our malware code into your extension?" or are they usually not so blunt?

gemusan466 karma

haha obviously none of them will refer to themselves as malware. Here's a snippet from an actual email I got:

"Hello, we're interested in potentially buying data from your browser extension userbase. We buy anonymous clickstream and browsing behavior data from browser extensions which we use for market research."

So I emailed back and asked what kind of data they want to buy. The answer was that they need us to install a small snippet of code in our extension that will do all the data collection automatically.

guitarcmc258 karma

Just want to say you guys are the only extension I run.

gemusan822 karma

Try out RES. You'll never get off Reddit.

jordongrangruth228 karma

Do you accept donations or anything like that? After reading this I would definitely donate towards you guys.

gemusan861 karma

Thanks for the offer! We do a pretty good job conserving cash so we're doing ok financially. If you are feeling generous, give some money to this awesome charity that is out feeding the homeless: Sean's Outpost

cpuoflove156 karma

What do you think of the extension HoverZoom and the whole situation with it's developer including code that collected user data in the extension?

gemusan244 karma

This is incredibly dangerous for the extension ecosystem in general. This kind of activity will force the platforms (Chrome store and Mozilla store) to be more and more restrictive, in turn taking away browser extension's ability to do anything meaningful. Everybody loses at the end.

DoctorWaluigiTime256 karma

It's kind of a microcosm of the Internet and its evolution: It went from people having a good time, to people trying to monetize it, to people having to wear hazmat suits to get through it safely.

gemusan151 karma

Dammit that's depressing.

cakedestroyer141 karma

How many extra downloads have you seen since you've done this AMA?

gemusan88 karma

~10K downloads today.

redcoatwright138 karma

You guys are awesome and honey is awesome.

Thanks for not being dickbags!

+/u/dogetipbot 200 doge verify

gemusan508 karma

Such kindness

Much generosity


EDIT: One day I'm going to look back at this comment the same way I look at my baggie jeans from the '90s.

dgcaste12 karma

Ever thought about doing the same with dogecoin in addition to bitcoin for amazon purchases?

gemusan18 karma

The altcoins are a little tricky because there's no payment processors that handle them. It'll be interesting to automate some type of exchange between the altcoin to btc in real-time and then push the btc through the payment processor. We'll definitely explore that.

TheBawb116 karma

Have any online retailers tried to get you to remove coupons? For example: If they only wanted to offer the coupon to certain customers, or delivered it through a mailing list.

gemusan206 karma

Nope. Online retailers understand that it's much better to keep you on the site instead of having you go off searching for a coupon. Our extension answers the "is there a coupon for my order" question for you so the chance you'll go through with the purchase is higher.

Coupons used to be a way for retailers to attract people to their site. But these days it's also a way for them to close the deal. Sites like Gap will often plaster coupon code all over their site to motivate you to buy something.

bigboss201439 karma

Oh my god I've been searching for website for that for months, do you have a Firefox plug in?

gemusan65 karma

Yup, go to joinhoney.com w/ FF and you'll see the install button.

Lmu113 karma

How tempting was it to take big offers from malware companies and have you ever thought about doing it in the future

gemusan195 karma

Not tempting at all. 1) we hate that as users, 2) we have far bigger plans for things we can build with Honey to make shopping better. So no chance it ever happens in the future.

Legendary_Fart75 karma

Is the extension useless for those outside of US borders?

gemusan110 karma

Yes for now. :(

Supporting stores internationally is a top priority and we want to get it done in 2014.

angrypotato175 karma

What's the chances of an opera or firefox extension?

gemusan144 karma

We have a firefox version at our website. Opera will still be a while unfortunately - working on other things like this

revmuun74 karma

From your FAQ:

In the future we may make money through affiliate programs similar to coupon and rebate sites or through other innovative programs that help you save even more time and money.

On some sites there is a limit to the amount of promo codes that can be used at any given time. If Honey got into the rebate affiliate business, would you have the extension use your own rebate codes instead of others even if yours is not the best?

Also, what are you doing with the cookies you collect? And what are you doing to safeguard all the information you're gathering? I'm very tempted to give this extension a try, and I know there's only so much you can do with what I assume to be a limited budget, but I'm kind of wary of willingly or unknowingly giving you the keys to my kingdom (so to speak).

gemusan80 karma

We will always prioritize the deal that saves people the most money even if we don't get paid on it. It might cost us in the short term but it will pay off in the long term.

We don't collect or drop any cookies. We don't require any registration info to start using the extension either.

revmuun57 karma

We don't collect or drop any cookies.

But from your FAQ...

We collect automatically generated information such as log data, cookies, device information, data about the success or failure of codes applied to your cart, and some other information collected by Google Analytics.

gemusan70 karma

When we wrote the FAQ we were told to be as broad as possible with what we declare. This is supposed to cover all the basis so that we don't get in trouble if we try something new and it's not covered in the privacy policy. We don't collect or drop any cookies as of today.

Kijafa63 karma

What do you think Google should do to combat the practice of allowing malware companies to infiltrate extensions how they have?

gemusan106 karma

This is a very hard problem even for someone with the resources of Google to solve. A starting point could be an improved feedback system upon extension removal like they just announced for ads.

lorywindrunner60 karma

Does it drive you crazy the amount of computer illiterate people rating you 1 star because they just don't understand?

Tons of people complaing it didn't find them a coupon because more than likely the coupon just flat out doesn't exist at the time.

There's a lady saying your chrome app crashed her computer instantly and she cannot reboot.

Just reading these drives me insane and it's not even my app!

gemusan67 karma

Yea it hurts each time we get one of those. We're fighting an uphill battle because we're looking for coupons on something you are already going to buy instead of trying to get you to buy something you weren't planning on buying. By design it's not going to be 100%.

The auto coupon feature finds people savings ~23% of the time. We want that # to be as close to 100% as possible. But to do so, we have to figure out new and innovative ways to find people savings.

AKAWhiteJesus51 karma

How come Honey has found me no discounts yet? :(

gemusan38 karma

What sites have you used it on?

ryangyangyang43 karma

Thank you for making a stand.

Is there a way to report these companies? I mean like can you report them to chrome? it seems like they don't have a system for this. Is there a reason they don't deal with this kind of thing?

gemusan52 karma

Google doesn't have a robust system to deal with this because (I hope) this isn't a very common problem. If you have reason to believe an extension is behaving like malware, you can submit it to Google at: https://support.google.com/chrome_webstore/answer/1078344?hl=en

mango_masher41 karma

What was your initial reaction, how did they approach you.

gemusan88 karma

The first time we were approached we thought it was legit. Spent some time going back and forth until we got to the specifics of what we need to do on our side. Then we realized it would turn us into a spyware.

absurdlogic37 karma

Have you had any threats from said companies after refusing the offers?

gemusan83 karma

no they just move on to the next developer I'm sure

pumpkinrum28 karma

How would they be able to use Honey to spread malware?

gemusan65 karma

It's not about spreading malware. It's about turning existing non-malware extensions into malware.

Zeichef12 karma

Hypothetical question: if the most evil of such companies offered you sixty billion dollars to buy you out, would you do it?

gemusan55 karma

For sixty billion dollars?! I would take it in a heart beat. Then I'll take $1 billion, split it 700,000 ways and send each one of our users a $1,500 check along with a letter explaining the situation. Retire with $59B and a clean conscience.

MyCarNeedsOil1 karma

How can we protect ourselves from this kind of thing once they succeed in buying someone else out? Is there an ap for that?

gemusan3 karma

I think the platforms will eventually need to step in to do the quality control. Google has taken the first steps to requiring that extensions be hosted in the Chrome store. This gives them the ability to remove a bad extension from everyone's browser if they ever catch it.

StealthyOwl1 karma

What language is used to code Honey and similar extensions? I've been wanting to learn code other than HTML lately.

gemusan2 karma

Honey's frontend is entirely Javascript so start with that. You can also learn Node.js if you want to build an extension w/ any kind of backend.

emareperiod0 karma

You said they are "shadowy companies that use aliases and shell companies to contact us" as an excuse to not name names. Well, I would like to push you on this as not a valid excuse. The attraction to your AMA is that these companies have approached you, and now you are not mentioning them.

This SOUNDS fishy, so I would like to give you a chance to indeed expose them by name and hopefully by site and email. Let the rest of us connect the dots and see where they lead.

gemusan5 karma

Well, if I point the finger at a specific company, we could get hit with a defamation lawsuit. Please understand that we're not an anonymous person on the internet and we can't get away with something like that.

The point of this AMA is to bring some transparency to the mechanics of how the whole "malware in extension" system works. It's far more useful than posting the names of a few non-public facing companies.