Help My Friends
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
Share the love! Easily support your favorite content creators and friends by adding their Amazon affiliate tags to Amazon URLs when you shop online.
Help My Friends automatically detects when you're browsing Amazon product pages and gives you the option to add a friend's or creator's affiliate tag to your purchase. Help My Friends respects other affiliate links and only suggests adding tags when it detects that none are present. You maintain full control. The extension never automatically adds affiliate tags without your explicit permission.
Just add your friends' and favorite creators' Amazon affiliate tags in the extension options and Help My Friends will randomly select from your list when you choose to support someone. This helps your favorite content creators earn commissions from your purchases without overriding any other affiliate links you've used.
Tags
Privacy Practices
Security Analysis — Help My Friends
Permissions
Code Patterns Detected
Package Contents 11 files · 862KB
What This Extension Does
Help My Friends is a browser extension designed to help users support content creators by automatically appending their Amazon affiliate tags to product links on Amazon sites. It solves the problem of wanting to share purchase links that benefit specific friends or creators without overriding existing affiliate relationships. The tool operates strictly within Amazon domains and requires user interaction before modifying any links.
Permissions Explained
- *://*.amazon.com/*expected: Allows the extension to read and modify web pages on Amazon.com so it can detect product links and add affiliate tags.
Technical: Grants content script injection rights to the root domain amazon.com. This allows access to the DOM, local storage, and network requests of all subdomains (e.g., www.amazon.com). If compromised, an attacker could read page content or inject malicious scripts into Amazon pages. - *://*.amazon.co.uk/*expected: Allows the extension to function on Amazon UK sites by accessing their web pages.
Technical: Grants content script injection rights to amazon.co.uk and its subdomains. Provides access to DOM elements and local storage specific to this regional domain. - *://*.amazon.ca/*expected: Allows the extension to function on Amazon Canada sites by accessing their web pages.
Technical: Grants content script injection rights to amazon.ca and its subdomains. Provides access to DOM elements and local storage specific to this regional domain. - *://*.amazon.de/*expected: Allows the extension to function on Amazon Germany sites by accessing their web pages.
Technical: Grants content script injection rights to amazon.de and its subdomains. Provides access to DOM elements and local storage specific to this regional domain. - *://*.amazon.fr/*expected: Allows the extension to function on Amazon France sites by accessing their web pages.
Technical: Grants content script injection rights to amazon.fr and its subdomains. Provides access to DOM elements and local storage specific to this regional domain. - *://*.amazon.it/*expected: Allows the extension to function on Amazon Italy sites by accessing their web pages.
Technical: Grants content script injection rights to amazon.it and its subdomains. Provides access to DOM elements and local storage specific to this regional domain. - *://*.amazon.es/*expected: Allows the extension to function on Amazon Spain sites by accessing their web pages.
Technical: Grants content script injection rights to amazon.es and its subdomains. Provides access to DOM elements and local storage specific to this regional domain. - *://*.amazon.co.jp/*expected: Allows the extension to function on Amazon Japan sites by accessing their web pages.
Technical: Grants content script injection rights to amazon.co.jp and its subdomains. Provides access to DOM elements and local storage specific to this regional domain. - storageexpected: Allows the extension to save your list of friends' affiliate tags and settings in your browser's local memory.
Technical: Accesses chrome.storage.sync or chrome.storage.local. This is used to persist the user-defined list of affiliate IDs. Data is stored locally on the device and is not sent to external servers unless explicitly configured by the developer (which is not detected here).
Your Data
The extension does not send any data to external servers. It only reads and modifies content on Amazon websites you visit and stores your affiliate tag list locally in your browser's storage.
Technical Details
Code Findings
The code uses a method that could theoretically allow malicious scripts to run if the extension were compromised, though this is a standard practice for modifying web pages.
Technical: Analysis detected an 'innerHTML' assignment pattern. While commonly used to update UI elements or inject new links, it can be exploited for Cross-Site Scripting (XSS) if the source of the content is not strictly sanitized. In this context, the extension generates content from user-provided affiliate tags.
💡 Content scripts frequently use innerHTML to dynamically render buttons, modals, or new links on web pages without reloading them.
The extension requests access to Amazon sites in many countries (US, UK, Canada, Germany, France, Italy, Spain, Japan). This is necessary because the tool works on all of them.
Technical: Permissions cover multiple regional domains (*://*.amazon.*/*). While this increases the attack surface slightly by granting access to more subdomains, it aligns perfectly with the stated functionality of supporting creators globally.
💡 Extensions that function across international markets must declare permissions for all relevant regional domains to operate correctly.
The extension does not have a strict security policy set, which means it relies on default browser protections rather than custom restrictions.
Technical: Content Security Policy (CSP) header is not explicitly defined in the manifest. This allows scripts to run from any source permitted by the browser's default settings for that origin. It does not inherently indicate a vulnerability but represents a missed opportunity to harden the extension against script injection.
💡 Many simple extensions omit CSP headers, relying on the principle of least privilege granted by the user-installed manifest permissions rather than runtime policy enforcement.
Help My Friends appears to be a legitimate utility tool that functions exactly as described: it modifies links only on Amazon sites with your permission and stores settings locally. While it uses standard web manipulation techniques like innerHTML, there is no evidence of malicious behavior or data exfiltration. Users can safely install this extension if they trust the developer, but should remain aware that any extension modifying page content carries a theoretical risk of XSS if the code is compromised.
