Brave Browser Takes Back Controversial Affiliate Code Injection

Last updated September 25, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

Brave browser, one of the most privacy-focused and secure web browsers out there, has made a mistake which generated a notable backlash from the community, leading to a retraction. More specifically, Brave was automatically injecting affiliate code on cryptocurrency exchange platforms like Binance, Coinbase, Ledger, and Trezor. As Brendan Eich, the CEO and co-founder of Brave Software admitted, this was a mistake, and they have changed this setting from being "on" by default to being an opt-in choice for the user. The “mistake” lasted for about ten weeks, from March 25 to the past weekend.

Brave is rising in popularity very quickly, and it has recently reached 15 million monthly active users and 5 million daily users. Besides the privacy and security features that are offered through Brave, this particular browser is unique in the field of cryptocurrency - it is serving advertising campaigns to the users who want it, in exchange for crypto (Brave Rewards). Moreover, it features a crypto wallet that enables users to connect their Uphold account and make transactions right from within the browser. All that said, there are quite a few cryptocurrency holders who like to use Brave.

The injection of affiliate links caused controversy in Brave’s community not because the company tried to make money out of its users, but because it risked their privacy in the process. By injecting affiliate code, Brave gets a cut from the cryptocurrency exchange platforms, as it looks like they have referred these users. However, the referrer is allowed to view some parts of the data that concern the user who signs up with the service's code, as the affiliate program systems generally provide this. Coinbase, for example, provides direct access to the campaign’s performance data, while Trezor is giving away a detailed overview of the purchases done by the referred users.

For a privacy-focused browser like Brave, this auto-completing should never have been activated by default. If any of the users want to support their favorite browser, they may enable it manually. Obviously, not everyone will go through the trouble of doing it, but this should be the setting from the start. To check what your settings are in relation to this feature, open Brave’s Settings menu, go to “Privacy and Security,” and check the position of the “Autocomplete searchers and URLs” switch.

privacy and security


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: