The Brave web browser is hijacking links, and inserting affiliate codes

It’s as if Brave is performance art put on by Mozilla’s advertising department.

— heavyset_go, Hacker News

The Brave web browser sells itself on privacy, security and ad-blocking. It also has its own cryptocurrency, the Basic Attention Token.

As such, it’s a favourite with crypto people — or ones who don’t know how to install uBlock Origin, anyway. [uBO Firefox; uBO Chrome]

 

 

What Brave’s done this time

Brave is very into affiliate marketing. Just in March this year, Brave was caught running eToro affiliate marketing without the legally-required disclaimers — and Brave staff were caught deleting all mention of this from the /r/brave_browser subforum on Reddit. [Github, archive]

If you’re using Brave and try to go to the Binance crypto exchange, Brave hijacks the Binance link you typed in, and autofills with its own affiliate code. This was spotted by @cryptonator1337 on Twitter earlier today.

The animation in @cryptonator1337’s tweet shows you what happens: [Twitter]

 

 

Sites that Brave attaches a referrer ID to include binance.com, binance.us, coinbase.com, ledger.com and trezor.io. Searches on “bitcoin”, “btc”, “ethereum”, “eth”, “litecoin”, “ltc” or “bnb” that lead to Binance also get a referrer attached. This is all in the file suggested_sites_provider_data.cc . [GitHub, version as of today]

The landing page for Coinbase even says “Brave Software International invited you to try Coinbase!” [Coinbase]

Brendan Eich, the founder and CEO of Brave, assures us that putting his referrer links into URLs that users typed in, to try to get people to click through accidentally, is all completely upright and above-board. [Twitter]

This ignores the legally required disclosures for affiliate links — the disclosures that Brave also ignored for the eToro links in March. In the US, the FTC has required full disclosure of affiliate marketing since 2009 — you have to put it right there on the page. Similar rules apply in the UK and the EU. (See my Amazon disclosure at the bottom-right of this post, for example.) [FTC; CAP]

However, Eich is very sorry that Brave got caught — again — and something will be changed in some manner to stop this behaviour, or at least obscure it. (Eich doesn’t say precisely what the totally fine thing Brave thought it was doing was, or what’s going to change here.) [Twitter]

Whatever the change is, it will at least apply for Binance — though Eich conspicuously didn’t mention the other sites, and there’s no update on GitHub as yet to the source code file I linked above. [GitHub, master branch] Update: Fix added, see below.

How does this keep happening?!

I have been told by multiple past subordinates of Eich’s how — in discussion of any matter whatsoever — he will not be swayed from any opinion that he feels he has reached through logic and reason, and will vehemently argue his correctness at length.

This doesn’t go so well when he’s trying to convince people on Twitter of his bona fides, when they think he’s just scammed them.

When Brave was caught in December 2018 asking for donations on behalf of other people without telling them, Eich started alluding in Twitter replies to Plato, Hume and Nietzsche. “In short run, without sounding Nietzschean, will matters. Patreon’s is weak or corrupt. Ours is not.” This didn’t convince anyone either. [Twitter archive; Twitter archive; Twitter archive]

What should Brave do?

I’d like to assume Eich is acting in good faith here — but this sort of nonsense keeps happening.

When you see you’ve done something wrong, you should fix it — then explain what you got wrong, that you understand why your users are upset, and precisely how this happened, step by step.

Then you don’t do it again. And you put systems into place so that you don’t do it again.

What you don’t do is to rack up a chain of other unmarked affiliate advertising, or pull what looks remarkably like donation fraud. Then apologise each time, say you’ve fixed it … and then do it again.

This is precisely what scammers do — they apologise, they swear they’ll fix it, and then they do it again.

So don’t do that.

What should I do, as a Brave user?

There is no good reason to use Brave. Use Chromium — the open-source core of Chrome — with the uBlock Origin ad blocker. [Chromium download, uBO Chrome]

Or use Firefox with uBlock Origin — ‘cos it blocks more ads than the Chromium framework will let anything block. [uBO Firefox]

Or, if you want a really cleaned-out Chrome — ungoogled-chromium, with uBlock Origin. [GitHub]

If you’re on Android, use Firefox with uBlock Origin, or the new Firefox Focus browser. [Mozilla]

Brave is a browser for suckers who want to keep getting played — so it’s a 100% crypto enterprise. As Eich’s pinned tweet still tells us: “Who gets paid? If not you, then you’re ‘product’.” [Twitter]


Update: Brendan Eich has responded to this post by claiming “David lies about us all the time.” I have pointed out that this is a prima facie defamatory statement, and asked him to detail these claimed lies. [Twitter, archive]

Update 2: The fix has been committed to the Brave repository on GitHub. The functionality will default to being switched off. [GitHub, GitHub]

 

 



Become a Patron!

Your subscriptions keep this site going. Sign up today!

28 Comments on “The Brave web browser is hijacking links, and inserting affiliate codes”

  1. Cheers to Amy Castor for editing and the progression of the scammer, and Kyle Gibson for spotting the Coinbase page.

    1. when you’re promoting something, I’m really not sure “IGNORE THE FUD” is something to put in the first line, but anyway

  2. Your post is a bit misleading, David. There was no hijacking of links; this feature didn’t involve links in any way. It was nothing more than prepopulated affiliate URLs. I’m worried this misrepresentation may be contributing to the confusion of others who think (incorrectly) that Brave was rewriting links.

    Affiliate programs are indeed upright; they’re also a key part of many popular applications. As software which costs nothing for the end user, revenues must be found and/or established elsewhere. In Brave’s case, we look for clean revenue, which doesn’t involve exchanging user data or compromising privacy. The Affiliate link approach is one such option. Your feedback regarding clear and explicit disclosure is well received.

    Suggesting Brave “is sorry it got caught” demonstrates a bit of prejudice on your end, however. Brave is purposefully open-source, and radically transparent. We encourage users to peruse our code, and report anything and everything that gives concern. In many cases, users get paid for their findings.

    Regarding the December incident you reference above, Brave never solicited donations in the name of other people. Brave has had a tipping mechanism built into the browser for quite some time. In the past, when users would open that component of the browser, they were presented with media from the page, as well as the title and some default text about supporting content contributors. If the creator was verified there was a specific checkmark which would also be displayed (similar to Twitter).

    In the past, when you contributed to a particular content creator, your tip would go into an omnibus settlement wallet, earmarked for that creator. If/when they verified, the wallet would payout any tokens held in reserve. This feature caused confusion for some users; in particular, it was the confusion around whether or not a property was verified. Thanks to the feedback of our users, we were able to rapidly change the UI to more clearly communicate whether a creator is setup to receive contributions or not. And, we were also able to rapidly modify the tipping mechanism so that pending contributions were held in the user’s wallet, rather than in an omnibus settlement wallet. Tom Scott (the individual who lent us his critique) reviewed our changes and approved of the new process flow, UI, and UX.

    As for why people should use Brave, there are many reasons. Brave is private by default, and secure by design. By default it handles HTTPS Everywhere, fingerprinting protection, and more. Brave also comes with an innovative, opt-in, digital advertising system which inverts the traditional model, keeping your data private and local. This model does not share any user data, and rewards the user with 70% of the advertising revenues. Users can then, in turn, contribute their tokens to content creators all across the Web, in a platform-agnostic manner. No signups, no credit cards, nothing.

    Your last statement, about Brave being a browser “for suckers,” simply demonstrates a personal prejudice. We are always happy to discuss the browser, and the experience of our users, but I think you’re being purposefully antagonistic rather than demonstrating a genuine interest in the facts. That said, we are reverting the affiliate change so as to prevent the prepopulation moving forward.

    1. > Brave never solicited donations in the name of other people.

      Your claim here is trivially false: Brave literally did precisely this thing, as I document with screenshots here. You had the creator’s name and photo, and the direct claim “You can support this site by sending a tip”.

      > There was no hijacking of links; this feature didn’t involve links in any way. It was nothing more than prepopulated affiliate URLs.

      People typed in the start of a URL, you autocompleted it in the presumable hope they would just hit “enter”. Did they intend to go to your affiliate URL? No, they did not, and this is why your users are angry. “Hijack” is an entirely accurate word for what you did.

      1. [Sampson replied again, repeating the trivially false claims about their solicitations of donations in other people’s names in the first comment. Right of reply is fine, but I’m not going to run repeated multi-paragraph advertising press releases that contain egregiously false claims – he had his reply, and that was how he spent it.]

        1. Let’s just get this out in the air because it’s painfully obvious. Sampson is definitely Eich trying to save face.

    2. > There was no hijacking of links; this feature didn’t involve links in any way. It was nothing more than prepopulated affiliate URLs.

      I don’t know if the gif in xCR1337’s tweet was misrepresenting the situation, but it sure looks like the URL was rewritten AFTER pressing enter. It wasn’t even simply an automatic suggestion that you could press backspace to cancel, but you could look at the URL, and convince yourself that it’s correct, and it’s still rewritten after you press enter.

      That’s despicable.

  3. Dude this article is censored by brave. If you visit it with brave it says it doesn’t respond or something like that.

    1. nah, that’s just the Brave Little Server That Couldn’t Quite getting hammered. Currently fiddling with WP Super Cache …

  4. For those not into cobbling together the raw Chromium etc., what’s the best alternative to Brave in terms of private browsing? I’m thinking of something that I can tell my Granny to download.

    1. I use, and really like, Vivaldi. It’s another privacy-and-UX-focused Chromium overlay. Use it with an adblocker for added protection, of course.

  5. Thanks for the info. I found that Brave blocks ads better than Chrome and FF. May be tweaking the default settings would help avoid those mentioned issues.

  6. @Sampson …”nothing more than prepopulated affiliate URLs”… If you tamper with a URL I typed into the address bar in any way, if you tamper with the link I clicked in my search window in any way, if you auto-fill any information on my signup page in any way (i.e. an affiliate link) especially without disclosure, that IS hi-jacking and you are being dishonest, and I’m sure a crime is taking place. Any user tricked into helping Brave earn a % of any trade they make, they may not want to do that. You didn’t give them a choice. That’s why it’s wrong.

    The more you play semantics and dance around it the worse you’re making it yourself. To purposefully try and capture a new user on an exchange by auto-filling in a link, or “prepopulating an affliate link”, and earn a bonus on that user (or in the case of Binance) make a % of all their trades in perpetuity, with no disclosure is dishonest. The fact that Brave was caught, again, well that just shows that your CEO is himself dishonest and the whole chain of trust is broken for everyone.

    I’m sure there was plenty of funding to be made by simply encouraging people to tip their BAT to support Brave in some fashion. What Brave needs to be doing now is fixing the problem and apologizing to the public.

  7. Brendan Eich is a dirtbag and it shouldn’t be a surprise when a company he runs does dishonest things.

    Nevertheless I’m not sure I understand what there is to be upset about here. This behaviour is dishonest in the same way that affiliate marketing or any other advertising is dishonest. Except that in this case Brave is abusing affiliate marketing services to line their own pockets when no advertising took place and the user would have visited the target website anyway. I’m not sure there’s any reason for anyone to be upset about this except the operator of the affiliate marketing service.

    If someone is using the Brave browser, then presumably they aren’t big fans of the advertising industry and I don’t really see why they should care about the advertising industry being tricked into spending their money on something other than making their advertising more effective. Perhaps I have missed something important here.

    I do hope that people using Brave might care about the fact that any money that makes its way to Brendan Eich is likely to be spent on campaigns to deny queer people basic rights, but that’s a different issue.

  8. The thing that scared me is it slides up a prompt when your ledger wallet is plugged into your USB. It brings up some Information about ledger in a prompt slide in. Check it out and tell me what that’s about

  9. I redently downloaded Brave along with a whole host of other browsers because I was no longer happy to continue with Firefox. It took me a while to go through all the settings so things were the way i like them. I don’t sync, back up send diagnostic data or sign in to anything. I’m a luddite where that’s concerned. Anyway I finally got round to giving it a go and was shocked to find all the important settings had changed by themselves to the opposite ofmwhat I set. So I spent another few hours going through them all and changing them back and closed the browser. A few hours later on the same day they had all changed back to leaking all my data. So I had no option but to delete it. That’s a real scummy company and I’ll never use a product by that company or developers ever again. I have suffered the same way with my Amazon fire tablets. No matter how many times I set it for no location services Amazon turns it back on for it’s own use.

  10. What’s funny is everywhere Brave Browser has had this scummy behaviour revealed on the internet, from reddit, hackernews, twitter and even here, guess who shows up? One of the Brave developers or owners to try and talk everyone out of believing what they just read, to ignore the evidence.

    I’ve uninstalled brave from my devices now, and am continuing to notify people as well. This browser, and the owners, stink.

    Elsewhere I’ve read Brave is nothing more than controlled opposition, and isn’t it funny how it’s propped up as the ‘browser for cookers’, that group of people literally doing whatever they are told, from using telegram, weird crypto, duckduckgo…all leading them to protests while brave browser dobs them all in.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.