Privacy browser Brave busted for autocompleting URLs to versions it profits from
Brave, the privacy-focused Chromium browser from Mozilla co-founder and JavaScript creator Brendan Eich, has come under fire for automatically redirecting URLs typed into the browser's address bar to a version of the URL it profits from.
Brave is trying to carve out a new business model by offering users the choice of viewing ads in exchange for Brave's cryptocurrency, the Basic Attention Token (BAT).
Privacy
Users can also tip websites they regularly visit in BAT credits based on the idea that website visitors want to pay sites based on user attention to content instead of ads served. It now has 15 million users who have chosen it for its privacy promises.
SEE: Cybersecurity: Let's get tactical (free PDF)
But, as reported by cryptocurrency news site Decrypt, Brave was caught redirecting the typed URL for Binance, a popular crypto exchange, to a different version of the site's URL that Brave earned revenue from. It was doing this without gaining the consent of Brave users.
The redirect was discovered by Yannick Eckl who revealed on Twitter over the weekend that typing in binance[.]us or binance[.]com in Brave redirects the user to the affiliate link 'binance[.]us/en?ref=35089877', which earns Brave money.
Brave promoted a deal it struck with Binance in March to bring the exchange's widget to the browser as part of its effort to create a different business model to other browsers, such as Mozilla's Firefox, which has historically earned most of its revenues from deals with search-engine providers, such as Google. The widget was designed to make it easier for Brave users to trade cryptocurrency.
The practice is a betrayal of trust for Brave users and potentially its affiliates too, which arguably shouldn't be paying Brave for visitors who type the affiliate's URL directly into the browser's address bar.
Eich, Brave's CEO, apologized for the redirects and offered an explanation for the behavior, claiming it was a "mistake".
"It's not great, and sorry again. I'm sad about it, too," he wrote.
"We made a mistake, we're correcting: Brave default autocompletes verbatim 'http://binance.us' in address bar to add an affiliate code," wrote Eich.
"We are a Binance affiliate, we refer users via the opt-in trading widget on the new tab page, but autocomplete should not add any code."
However, other Twitter users challenged the idea that Brave had simply made a mistake. Further research of Brave's GitHub repository revealed it was also redirecting the URLs of Ledger, Trezor and Coinbase to URLs that Brave profits from.
SEE: Zoom security: Your meetings will be safe and secure if you do these 10 things
In defense of the apparent error, Eich also explained that Brave is "trying to build a viable business that puts users first by aligning interests via private ads that pay user >= what we make on fixed fee schedule, no browser data in the clear on any of our servers, and so on. But we seek skin-in-game affiliate revenue too".
"The autocomplete default was inspired by search query clientid attribution that all browsers do, but unlike keyword queries, a typed-in URL should go to the domain named, without any additions. Sorry for this mistake – we are clearly not perfect, but we correct course quickly," he wrote.
He stressed that Brave was not rewriting links in webpages and never would. The behavior was limited to autocompletions when users type in a URL in the browser's address bar, according to Eich.
Users who don't want URLs to the crypto sites to be automatically converted to ones that profit Brave can disable the feature 'Show Brave-suggested sites in autocomplete suggestions'. A future update will switch the setting off by default.