[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Starting analysis...

PayPal Honey: Automated Coupons & Cash Back

Version 19.0.3 View in Chrome Web Store

Last scanned: about 4 hours ago

Extension Details

Developer: https://www.joinhoney.com/

Rating: 4.6 ★ (179.8K ratings)

Users: 14,000,000

Context-Aware Verdict

MEDIUM

Overall Risk

Trust Factors:

PayPal Honey is a legitimate extension owned by PayPal, a well-established financial services company. With 14 million users and a 4.6-star rating from nearly 180,000 reviews, it demonstrates strong user adoption and satisfaction. The extension's core functionality of finding coupon codes and providing cashback rewards is transparent and widely understood by users.

Concerns:

While the security findings flag several high-risk permissions, these are largely necessary for Honey's legitimate functionality. The cookies permission enables price tracking and coupon application, webRequest allows monitoring for applicable deals, and broad host permissions are required since the extension works across all shopping websites. However, these same permissions could theoretically be misused for data collection or tracking beyond what's necessary for the service.

The extension's ability to access all websites and intercept web requests means it has visibility into users' browsing patterns and shopping behavior, which raises privacy considerations even when used legitimately.

Recommendations:

Given PayPal's reputation and the extension's widespread adoption, the risk is mitigated compared to unknown developers. Users comfortable with PayPal's data practices can use this extension normally. Privacy-conscious users should review PayPal's privacy policy to understand data collection practices. The extension doesn't require a separate Chrome profile due to its legitimate business model and established trust, but users should be aware of the extensive data access it requires.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webRequest

This extension has the webRequest permission. Can intercept and modify web requests. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

MEDIUM

Medium-Risk Permission: unlimitedStorage

This extension has the unlimitedStorage permission. Can store unlimited data locally.

Security Analysis Details

Required Permissions:

alarms
cookies
storage
unlimitedStorage
scripting
webRequest
offscreen

Host Permissions:

http://*/*
https://*/*

Content Security Policy:

extension_pages: script-src 'self'; object-src 'self';
isolated_world: script-src 'self'; object-src 'self';

Embedded URLs (334 total):

https://www.joinhoney.com/en/privacy	https://www.joinhoney.com/de/privacy
http://paypal.com/payin4	https://www.joinhoney.com/de/terms
https://www.joinhoney.com/de/terms#honey-gold	https://www.paypal.com/us/webapps/mpp/ua/pp-rewards-program-tnc
https://www.joinhoney.com/privacy	https://www.joinhoney.com/terms
https://www.joinhoney.com/terms#honey-gold	https://www.joinhoney.com/it/privacy
https://www.joinhoney.com/it/terms	https://www.joinhoney.com/it/terms#honey-gold
https://www.joinhoney.com/fr/privacy	https://www.joinhoney.com/fr/terms
https://www.joinhoney.com/fr/terms#honey-gold	https://www.joinhoney.com/es/privacy
https://www.joinhoney.com/es/terms	https://www.joinhoney.com/es/terms#honey-gold
https://www.joinhoney.com/nl/privacy	https://www.joinhoney.com/nl/terms
https://www.joinhoney.com/nl/terms#honey-gold	https://www.joinhoney.com/pt/privacy
https://www.joinhoney.com/pt/terms	https://www.joinhoney.com/pt/terms#honey-gold
https://github.com/uuidjs/uuid#getrandomvalues-not-supported	http://goo.gl/MqrFmX
http://goo.gl/rRqMUw	https://github.com/babel/babel/blob/main/packages/babel-helpers/LICENSE
https://www.sephora.com/api/shopping-cart/basket/promotions	https://www.sephora.com/api/shopping-cart/baskets/current/promotions
https://www.kohls.com/cnc/applyCoupons	https://www.budget.com
https://www.avis.com	https://regex101.com/r/SKzZZF/1
https://regex101.com/r/LSooIQ/1	https://www.expedia.com/Checkout
https://www.cvs.com/RETAGPV3/RxExpress/V2/applyCoupon	https://www.fitflop.com/us/en/cart/coupon
https://www.ae.com/ugp-api/bag/v1/coupon	https://cdn.joinhoney.com/dummy-store/api/
https://extension.joinhoney.com/	https://o.honey.io
https://o.joinhoney.com/	https://out.joinhoney.com/
https://o.honey.io/store/	https://v.joinhoney.com
https://d.joinhoney.com/v3?operationName=	https://d.joinhoney.com/v3
https://cdn.honey.io	https://www.expedia.com
https://www.amazon.com/gp/buy/spc/handlers/add-giftcard-promotion.html/ref=ox_pay_page_gc_add	https://www.bathandbodyworks.com
http://www.w3.org/1999/xhtml	http://www.w3.org/1998/Math/MathML
http://www.w3.org/2000/svg	http://www.w3.org/1999/xlink
http://www.w3.org/XML/1998/namespace	http://www.w3.org/2000/xmlns/
https://d.joinhoney.com/extdata/ckdata	https://honeyscience.github.io/allowlist/
https://regex101.com/r/HmaF1K/1	https://www.forever21.com
https://regex101.com/r/wpUsnJ/1	http://www.example.com
https://sentry.io/welcome/	https://cdn.honey.io/images/findsavings/coiny-dash-config.json
http://mths.be/base64	https://evilmartians.com/chronicles/postcss-8-plugin-migration
https://www.w3ctech.com/topic/2226	https://s.joinhoney.com/evs
https://s.joinhoney.com/	https://s.joinhoney.com/ev/
https://d.joinhoney.com	https://www.joinhoney.com
https://www.orbitz.com/Checkout/applyCoupon	https://www.orbitz.com/Checkout/removeCoupon
https://www.prettylittlething.com/pltmobile/coupon/couponPost/	https://checkout.prettylittlething.com/checkout-api/coupon/set
https://checkout.prettylittlething.com/checkout-api/coupon	https://cdn-checkout.joinhoney.com/honey-checkout/version_config.json

Page 1 of 5

Raw Manifest

{
  "name": "__MSG_Honey_Title__",
  "icons": {
    "16": "icons/honey-logo-16.png",
    "48": "icons/honey-logo-48.png",
    "128": "icons/honey-logo-128.png"
  },
  "action": {
    "default_icon": {
      "16": "icons/default-16.png",
      "19": "icons/default-19.png",
      "32": "icons/default-32.png",
      "38": "icons/default-38.png"
    },
    "default_popup": "popover/popover.html",
    "default_title": "PayPal Honey"
  },
  "version": "19.0.3",
  "background": {
    "service_worker": "h0.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_Automatically_find_and_apply_coupon_codes_when_you_shop_online__",
  "permissions": [
    "alarms",
    "cookies",
    "storage",
    "unlimitedStorage",
    "scripting",
    "webRequest",
    "offscreen"
  ],
  "default_locale": "en",
  "content_scripts": [
    {
      "js": [
        "h1-check.js"
      ],
      "run_at": "document_end",
      "matches": [
        "http://*/*",
        "https://*/*"
      ],
      "all_frames": false,
      "match_about_blank": false
    }
  ],
  "host_permissions": [
    "http://*/*",
    "https://*/*"
  ],
  "manifest_version": 3,
  "content_security_policy": {
    "isolated_world": "script-src 'self'; object-src 'self';",
    "extension_pages": "script-src 'self'; object-src 'self';"
  },
  "web_accessible_resources": [
    {
      "matches": [
        "http://*/*",
        "https://*/*"
      ],
      "resources": [
        "checkoutPaypal/*",
        "extensionMixinScripts/*",
        "images/*",
        "offscreen/*",
        "paypal/*",
        "proxies/*"
      ]
    }
  ]
}

by ✦ Astarte

PayPal Honey: Automated Coupons & Cash Back

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Content Security Policy:

Embedded URLs (334 total):

Raw Manifest

Detections

Manifest Findings