[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

PayPal Honey: Automated Coupons & Cash Back

Version 19.0.0 View in Chrome Web Store

Last scanned: about 16 hours ago

Extension Details

Developer: https://www.joinhoney.com/

Rating: 4.6 ★ (179.6K ratings)

Users: 14,000,000

Context-Aware Verdict

MEDIUM

Overall Risk

Trust Factors: PayPal Honey is a legitimate extension owned by PayPal, one of the world's largest payment companies. With 14 million users and a 4.6-star rating from nearly 180,000 reviews, it has established significant market trust. The extension's core functionality - finding coupons and providing cashback - is well-documented and transparent.

Concerns: While the security findings flag high-risk permissions, these are largely necessary for Honey's legitimate operations. The cookies permission enables coupon application at checkout, webRequest allows monitoring for discount opportunities, and broad host permissions are required since the extension works across thousands of shopping websites. However, these same permissions could theoretically access sensitive data like login credentials or personal information across all websites you visit.

The extension's business model involves collecting shopping data to provide merchant insights, which some users may find concerning from a privacy perspective. The unlimited storage permission could accumulate significant browsing data over time.

Recommendations: Given PayPal's reputation and the extension's widespread adoption, the risk is mitigated compared to unknown developers. However, privacy-conscious users should review PayPal's data collection practices. Consider using the extension only when actively shopping rather than leaving it enabled constantly. Users with high security requirements could run it in a separate Chrome profile for shopping activities only.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webRequest

This extension has the webRequest permission. Can intercept and modify web requests. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

MEDIUM

Medium-Risk Permission: unlimitedStorage

This extension has the unlimitedStorage permission. Can store unlimited data locally.

Security Analysis Details

Required Permissions:

alarms
cookies
storage
unlimitedStorage
scripting
webRequest
offscreen

Host Permissions:

http://*/*
https://*/*

Content Security Policy:

extension_pages: script-src 'self'; object-src 'self';
isolated_world: script-src 'self'; object-src 'self';

Embedded URLs (330 total):

https://www.joinhoney.com/de/privacy	http://paypal.com/payin4
https://www.joinhoney.com/de/terms	https://www.joinhoney.com/de/terms#honey-gold
https://www.paypal.com/us/webapps/mpp/ua/pp-rewards-program-tnc	https://www.joinhoney.com/en/privacy
https://www.joinhoney.com/es/privacy	https://www.joinhoney.com/es/terms
https://www.joinhoney.com/es/terms#honey-gold	https://www.joinhoney.com/it/privacy
https://www.joinhoney.com/it/terms	https://www.joinhoney.com/it/terms#honey-gold
https://www.joinhoney.com/fr/privacy	https://www.joinhoney.com/fr/terms
https://www.joinhoney.com/fr/terms#honey-gold	https://www.joinhoney.com/privacy
https://www.joinhoney.com/terms	https://www.joinhoney.com/terms#honey-gold
https://www.joinhoney.com/nl/privacy	https://www.joinhoney.com/nl/terms
https://www.joinhoney.com/nl/terms#honey-gold	https://www.joinhoney.com/pt/privacy
https://www.joinhoney.com/pt/terms	https://www.joinhoney.com/pt/terms#honey-gold
https://github.com/uuidjs/uuid#getrandomvalues-not-supported	http://goo.gl/MqrFmX
http://goo.gl/rRqMUw	https://github.com/babel/babel/blob/main/packages/babel-helpers/LICENSE
https://www.sephora.com/api/shopping-cart/basket/promotions	https://www.sephora.com/api/shopping-cart/baskets/current/promotions
https://www.kohls.com/cnc/applyCoupons	https://www.budget.com
https://www.avis.com	https://regex101.com/r/SKzZZF/1
https://regex101.com/r/LSooIQ/1	https://www.expedia.com/Checkout
https://s.joinhoney.com	https://cdn.honey.io
https://www.fitflop.com/us/en/cart/coupon	https://www.ae.com/ugp-api/bag/v1/coupon
https://cdn.joinhoney.com/dummy-store/api/	https://extension.joinhoney.com/
https://o.honey.io	https://o.joinhoney.com/
https://out.joinhoney.com/	https://o.honey.io/store/
https://v.joinhoney.com	https://d.joinhoney.com/v3?operationName=
https://d.joinhoney.com/v3	https://www.expedia.com
https://www.amazon.com/gp/buy/spc/handlers/add-giftcard-promotion.html/ref=ox_pay_page_gc_add	https://www.bathandbodyworks.com
https://d.joinhoney.com/extdata/ckdata	https://honeyscience.github.io/allowlist/
https://regex101.com/r/HmaF1K/1	https://www.forever21.com
https://regex101.com/r/wpUsnJ/1	http://www.example.com
http://www.w3.org/2000/svg	https://sentry.io/welcome/
https://cdn.honey.io/images/findsavings/coiny-dash-config.json	http://mths.be/base64
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd	https://s.joinhoney.com/evs
https://s.joinhoney.com/	https://s.joinhoney.com/ev/
https://d.joinhoney.com	https://www.joinhoney.com
https://www.orbitz.com/Checkout/applyCoupon	https://www.orbitz.com/Checkout/removeCoupon
https://www.prettylittlething.com/pltmobile/coupon/couponPost/	https://checkout.prettylittlething.com/checkout-api/coupon/set
https://checkout.prettylittlething.com/checkout-api/coupon	https://cdn-checkout.joinhoney.com/honey-checkout/version_config.json
https://cdn-checkout.joinhoney.com/honey-checkout/	https://cdn-checkout-staging.joinhoney.com/honey-checkout/branches/branches.json
https://www.hammacher.com/shoppingcart/applypromocode	https://shop.coles.com.au
http://openexchangerates.github.io/accounting.js/	https://www.loft.com/cws/cart/claimCoupon.jsp

Page 1 of 5

Raw Manifest

{
  "name": "__MSG_Honey_Title__",
  "icons": {
    "16": "icons/honey-logo-16.png",
    "48": "icons/honey-logo-48.png",
    "128": "icons/honey-logo-128.png"
  },
  "action": {
    "default_icon": {
      "16": "icons/default-16.png",
      "19": "icons/default-19.png",
      "32": "icons/default-32.png",
      "38": "icons/default-38.png"
    },
    "default_popup": "popover/popover.html",
    "default_title": "PayPal Honey"
  },
  "version": "19.0.0",
  "background": {
    "service_worker": "h0.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_Automatically_find_and_apply_coupon_codes_when_you_shop_online__",
  "permissions": [
    "alarms",
    "cookies",
    "storage",
    "unlimitedStorage",
    "scripting",
    "webRequest",
    "offscreen"
  ],
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "h1-check.js"
      ],
      "run_at": "document_end",
      "matches": [
        "http://*/*",
        "https://*/*"
      ],
      "all_frames": false,
      "match_about_blank": false
    }
  ],
  "host_permissions": [
    "http://*/*",
    "https://*/*"
  ],
  "manifest_version": 3,
  "content_security_policy": {
    "isolated_world": "script-src 'self'; object-src 'self';",
    "extension_pages": "script-src 'self'; object-src 'self';"
  },
  "web_accessible_resources": [
    {
      "matches": [
        "http://*/*",
        "https://*/*"
      ],
      "resources": [
        "checkoutPaypal/*",
        "extensionMixinScripts/*",
        "images/*",
        "offscreen/*",
        "paypal/*",
        "proxies/*"
      ]
    }
  ]
}

by ✦ Astarte

PayPal Honey: Automated Coupons & Cash Back

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Content Security Policy:

Embedded URLs (330 total):

Raw Manifest

Detections

Manifest Findings