Skip to content
Naked Security Naked Security

Brave CEO apologises for adding affiliate links to URLs

The Brave browser has provoked unhappiness among some of its users after being caught redirecting searches to affiliate links that earned it commission.

The Brave browser has provoked unhappiness among some of its users after being caught redirecting searches to affiliate links that earned it commission.
The first user to notice the issue was Cryptonator 1337, who tweeted the following observation on 6 June:

So when you are using the @brave browser and type in ‘’ you end up getting redirected to ‘’ – I see what you did there mates.

What this means is that Brave users searching for Binance, a cryptocurrency exchange, would have had their query autocompleted so that they ended up on a special version of the Binance homepage that lets the company know that Brave’s address bar was the origin of that visit.
Autocomplete, of course, is a feature all web browsers offer and is intended as a time-saving and normally uncontroversial convenience (in Brave, ‘Autocomplete searches and URLs’ can be turned on or off by typing ‘brave://settings/autofill’ into the address bar).
But not long after, a second user discovered a GitHub page containing code used to embed rival cryptocurrency exchanges, Coinbase, Trezor, and Ledger in the same way.
At that point, Brave found itself fielding unhappy comments from users asking whether this behaviour was consistent with the company’s idealistic motto ‘Brave for a better internet’ and general championing of privacy (the latter being a virtue it recently lived up to in an independent University study).
Perhaps surprisingly, Brave founder and CEO Brendan Eich (famous for creating JavaScript and helping co-found Mozilla) quickly admitted a “serious error of judgement”, tweeting:

The autocomplete default was inspired by search query clientid attribution that all browsers do, but unlike keyword queries, a typed-in URL should go to the domain named, without any additions. Sorry for this mistake — we are clearly not perfect, but we correct course quickly.

Default autocomplete should not have added redirect code, he agreed, but the mistake had been made as the company attempted to “build a viable business.”

A mistake, then, but was it really a bad one?

The market for browsers is a strange one that eats money in development costs, which raises the question as to why anyone would get into this as a business.
For the ‘big’ browsers – Google’s Chrome, Apple’s Safari and Microsoft’s Edge – the answer is mainly to support Android, macOS/iOS and Windows.
But they are also commercial entities that earn money in one way or another from directing users to the big bucks of search engines. This is true even for Mozilla’s Firefox, which supports its own idealistic values through an identical business model.
And then there is newcomer Brave, which has styled itself as being an outsider and an innovator, right down to launching an entire Brave platform that hands out ‘attention tokens’ to users in return for consuming advertising.
It’s a balancing act, which established browsers with higher market share have the luxury of ignoring – the need to earn money from the act of browsing itself.
Sending autocompleted search traffic to affiliates would have earned Brave fractions of a cent for each user who made that journey but without revealing anything about the user.
What caused trouble here was that users wouldn’t have realised this was happening unless they looked closely at the URL. To some, this looked like a small but unnecessary deception.
However, it remains true that smaller, independent browsers face a struggle to survive. Some of the surprisingly large number kicking about below measurable statistics sell out and become ad machines whose ironic selling point is that they are not Google.
Because of its ‘we are different’ marketing, Brave has always been judged by higher standards. That comes with the downside of greater scrutiny and disappointment when mistakes are made.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.


The reason for Chrome’s existence is not “mainly to support Android” but instead to scrape user data and build detailed profiles of users in order to sell advertising.


Then there is the Vivaldi Browser, which does none of the above.
– not supporting an OS (but works on Win, Linux, Android and Mac)
– not a spyware personal data sucking tool for…
– provides users with their own customizable experience
Yes it is built on Chromium/Android but they compile their own custom code from the base.
A totally different business model for a privacy oriented browser.
Check their website (, it’s all there.


As Anonymous said above, the Chrome browser is about hamstering as much user data as possible.
Anyone not realizing this by now must be quite naive.


This move by Brave actually doesn’t bother me at all. It does not affect privacy and they need to make money somehow.


Brave makes money by selling advertising in the form of desktop alerts and new tab screens. The minimum ad spend commitment is 2.5k/month. This advertising is actually turned off by default. New users are enticed into turning it on with a promise of payment at the end of each month in the form of Basic Attention Tokens (cryptocurrency). Users then have the ability to either send these to an exchange and convert them into cash or “tip” registered websites with their tokens, or both.
I think that the one downside to appending affiliate codes to URLs is that it tips off the website owner that you are using Brave. Most of the time your traffic looks like a normal Chrome visit because Brave is based on Chromium. It’s a very slight exposure but given Brave’s stance on privacy and security, I think it was a bad move on their part. Their ad model is opt-in and very transparent, all their revenue streams should reflect the opt-in and transparency-with-users theme.


I am a longtime Brave user. I understand the need for commercial viability. Speaking for myself, I would gladly pay an annual fee for Brave in order to keep these kinds of monetization temptations away.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!