Summary
Highlights
The speaker introduces a 'Honey scandal' and explains that as a Chrome extension, Honey's code is publicly available for examination. The goal is to investigate allegations of fraudulent behavior and observe how the code has evolved over time. The speaker will watch an excerpt from a video detailing the scandal and then analyze Honey's minified code.
The video discusses how Honey was allegedly stealing money from influencers. Affiliate networks typically enforce a 'standown policy' to prevent coupon extensions from poaching commissions from content creators. An example with Newegg shows that Honey is supposed to stand down when an affiliate link is active. However, testing with two different Honey accounts reveals that Honey selectively applies this policy, particularly favoring accounts with accumulated cashback points.
The speaker analyzes various versions of Honey's code from 2019 to present. In 2019 (version 11), Honey's standown logic was hard-coded with specific rules, including a controversial check that would disable the extension if the user's email contained 'test'. The system used a series of `if` statements and loops to evaluate rules based on providers like 'link share'.
Between 2019 and 2022, Honey's code remained largely unchanged. However, in 2024 (version 16), a significant refactor was implemented. The system shifted from hard-coded `if` statements to a more dynamic approach, driving decisions from an endpoint. This new system uses a base object with required user points and modifies it based on affiliate networks and store-specific values, making the standown logic more robust and controllable via JSON.
A surprising discovery in Honey's code is an entire JavaScript-in-JavaScript engine, including a JavaScript parser (Acorn) and a virtual machine (Vim engine). This apparatus allows Honey to execute remote code in an obfuscated manner. While the speaker wasn't able to trigger the execution, the setup suggests the capability for highly dynamic and potentially hidden operations, possibly to evade detection by ad blockers or other extensions, bypassing Google's Manifest V3 restrictions on `eval`.
The speaker describes Honey's engineering as the most complex and unusual they have ever encountered. Although the purpose of the JavaScript-in-JavaScript engine is unclear, it appears to be a sophisticated method for obfuscating code execution and dynamically controlling the extension's behavior. The standown rules are robust and controlled on a per-store, per-provider, and per-user basis via JSON, indicating a deliberate and evolving system.