[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

PayPal Honey: Automated Coupons & Cash Back

Version 19.0.3 View in Chrome Web Store

Last scanned: 3 days ago | force re-scan

Extension Details

Developer: https://www.joinhoney.com/

Rating: 4.6 ★ (179.8K ratings)

Users: 13,000,000

Context-Aware Verdict

MEDIUM

Overall Risk

Trust Factors: PayPal Honey is a legitimate extension owned by PayPal, a well-established financial services company. With 13 million users and a 4.6-star rating from nearly 180,000 reviews, it has strong user adoption and satisfaction. The extension's core functionality of finding coupons and providing cash back rewards is transparent and well-documented.

Concerns: While the extension is legitimate, its permissions are extensive for its stated purpose. The cookies permission allows access to sensitive authentication data across all websites. The webRequest permission enables interception of all web traffic, which could expose personal information, payment details, and browsing patterns. Broad host permissions mean the extension can access every website you visit. The combination of these permissions creates a powerful surveillance capability that extends beyond coupon finding.

The extension necessarily requires these permissions to function - it needs to monitor shopping sites, access pricing information, and inject coupon codes. However, this creates inherent privacy trade-offs as PayPal can potentially track your entire browsing behavior and shopping habits.

Recommendations: This extension is generally safe due to PayPal's reputation, but privacy-conscious users should be aware of the extensive data collection capabilities. Consider using it only when actively shopping rather than leaving it enabled constantly. Review PayPal's privacy policy to understand data usage. Users with high privacy requirements might prefer manual coupon searching over automated tools.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webRequest

This extension has the webRequest permission. Can intercept and modify web requests. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

MEDIUM

Medium-Risk Permission: unlimitedStorage

This extension has the unlimitedStorage permission. Can store unlimited data locally.

Security Analysis Details

Required Permissions:

alarms
cookies
storage
unlimitedStorage
scripting
webRequest
offscreen

Host Permissions:

http://*/*
https://*/*

Content Security Policy:

extension_pages: script-src 'self'; object-src 'self';
isolated_world: script-src 'self'; object-src 'self';

Embedded URLs (334 total):

https://www.joinhoney.com/en/privacy	https://www.joinhoney.com/de/privacy
http://paypal.com/payin4	https://www.joinhoney.com/de/terms
https://www.joinhoney.com/de/terms#honey-gold	https://www.paypal.com/us/webapps/mpp/ua/pp-rewards-program-tnc
https://www.joinhoney.com/privacy	https://www.joinhoney.com/terms
https://www.joinhoney.com/terms#honey-gold	https://www.joinhoney.com/it/privacy
https://www.joinhoney.com/it/terms	https://www.joinhoney.com/it/terms#honey-gold
https://www.joinhoney.com/fr/privacy	https://www.joinhoney.com/fr/terms
https://www.joinhoney.com/fr/terms#honey-gold	https://www.joinhoney.com/es/privacy
https://www.joinhoney.com/es/terms	https://www.joinhoney.com/es/terms#honey-gold
https://www.joinhoney.com/nl/privacy	https://www.joinhoney.com/nl/terms
https://www.joinhoney.com/nl/terms#honey-gold	https://www.joinhoney.com/pt/privacy
https://www.joinhoney.com/pt/terms	https://www.joinhoney.com/pt/terms#honey-gold
https://github.com/uuidjs/uuid#getrandomvalues-not-supported	http://goo.gl/MqrFmX
http://goo.gl/rRqMUw	https://github.com/babel/babel/blob/main/packages/babel-helpers/LICENSE
https://www.sephora.com/api/shopping-cart/basket/promotions	https://www.sephora.com/api/shopping-cart/baskets/current/promotions
https://www.kohls.com/cnc/applyCoupons	https://www.budget.com
https://www.avis.com	https://regex101.com/r/SKzZZF/1
https://regex101.com/r/LSooIQ/1	https://www.expedia.com/Checkout
https://www.cvs.com/RETAGPV3/RxExpress/V2/applyCoupon	https://www.fitflop.com/us/en/cart/coupon
https://www.ae.com/ugp-api/bag/v1/coupon	https://cdn.joinhoney.com/dummy-store/api/
https://extension.joinhoney.com/	https://o.honey.io
https://o.joinhoney.com/	https://out.joinhoney.com/
https://o.honey.io/store/	https://v.joinhoney.com
https://d.joinhoney.com/v3?operationName=	https://d.joinhoney.com/v3
https://cdn.honey.io	https://www.expedia.com
https://www.amazon.com/gp/buy/spc/handlers/add-giftcard-promotion.html/ref=ox_pay_page_gc_add	https://www.bathandbodyworks.com
http://www.w3.org/1999/xhtml	http://www.w3.org/1998/Math/MathML
http://www.w3.org/2000/svg	http://www.w3.org/1999/xlink
http://www.w3.org/XML/1998/namespace	http://www.w3.org/2000/xmlns/
https://d.joinhoney.com/extdata/ckdata	https://honeyscience.github.io/allowlist/
https://regex101.com/r/HmaF1K/1	https://www.forever21.com
https://regex101.com/r/wpUsnJ/1	http://www.example.com
https://sentry.io/welcome/	https://cdn.honey.io/images/findsavings/coiny-dash-config.json
http://mths.be/base64	https://evilmartians.com/chronicles/postcss-8-plugin-migration
https://www.w3ctech.com/topic/2226	https://s.joinhoney.com/evs
https://s.joinhoney.com/	https://s.joinhoney.com/ev/
https://d.joinhoney.com	https://www.joinhoney.com
https://www.orbitz.com/Checkout/applyCoupon	https://www.orbitz.com/Checkout/removeCoupon
https://www.prettylittlething.com/pltmobile/coupon/couponPost/	https://checkout.prettylittlething.com/checkout-api/coupon/set
https://checkout.prettylittlething.com/checkout-api/coupon	https://cdn-checkout.joinhoney.com/honey-checkout/version_config.json

Page 1 of 5

Raw Manifest

{
  "name": "__MSG_Honey_Title__",
  "icons": {
    "16": "icons/honey-logo-16.png",
    "48": "icons/honey-logo-48.png",
    "128": "icons/honey-logo-128.png"
  },
  "action": {
    "default_icon": {
      "16": "icons/default-16.png",
      "19": "icons/default-19.png",
      "32": "icons/default-32.png",
      "38": "icons/default-38.png"
    },
    "default_popup": "popover/popover.html",
    "default_title": "PayPal Honey"
  },
  "version": "19.0.3",
  "background": {
    "service_worker": "h0.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_Automatically_find_and_apply_coupon_codes_when_you_shop_online__",
  "permissions": [
    "alarms",
    "cookies",
    "storage",
    "unlimitedStorage",
    "scripting",
    "webRequest",
    "offscreen"
  ],
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "h1-check.js"
      ],
      "run_at": "document_end",
      "matches": [
        "http://*/*",
        "https://*/*"
      ],
      "all_frames": false,
      "match_about_blank": false
    }
  ],
  "host_permissions": [
    "http://*/*",
    "https://*/*"
  ],
  "manifest_version": 3,
  "content_security_policy": {
    "isolated_world": "script-src 'self'; object-src 'self';",
    "extension_pages": "script-src 'self'; object-src 'self';"
  },
  "web_accessible_resources": [
    {
      "matches": [
        "http://*/*",
        "https://*/*"
      ],
      "resources": [
        "checkoutPaypal/*",
        "extensionMixinScripts/*",
        "images/*",
        "offscreen/*",
        "paypal/*",
        "proxies/*"
      ]
    }
  ]
}

by ✦ Astarte

PayPal Honey: Automated Coupons & Cash Back

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Content Security Policy:

Embedded URLs (334 total):

Raw Manifest

Detections

Manifest Findings