I Read Honey's Source Code

Share

Summary

This video delves into a 'Honey scandal' by analyzing the coupon Chrome extension's source code. The speaker investigates allegations of Honey stealing commissions from influencers and discusses the evolution of Honey's 'standown' policy. The video also uncovers Honey's peculiar use of a JavaScript-in-JavaScript engine and its potential implications for code obfuscation and execution.

Highlights

Introduction to the Honey Scandal and Code Investigation
00:00:09

The speaker introduces a 'Honey scandal' and explains that as a Chrome extension, Honey's code is publicly available for examination. The goal is to investigate allegations of fraudulent behavior and observe how the code has evolved over time. The speaker will watch an excerpt from a video detailing the scandal and then analyze Honey's minified code.

Honey's 'Standown Policy' and Alleged Fraud
00:01:13

The video discusses how Honey was allegedly stealing money from influencers. Affiliate networks typically enforce a 'standown policy' to prevent coupon extensions from poaching commissions from content creators. An example with Newegg shows that Honey is supposed to stand down when an affiliate link is active. However, testing with two different Honey accounts reveals that Honey selectively applies this policy, particularly favoring accounts with accumulated cashback points.

Analyzing Honey's Code: Initial Standown Logic (2019)
00:03:00

The speaker analyzes various versions of Honey's code from 2019 to present. In 2019 (version 11), Honey's standown logic was hard-coded with specific rules, including a controversial check that would disable the extension if the user's email contained 'test'. The system used a series of `if` statements and loops to evaluate rules based on providers like 'link share'.

Evolution of Standown Logic: Robust Refactor (2024)
00:06:40

Between 2019 and 2022, Honey's code remained largely unchanged. However, in 2024 (version 16), a significant refactor was implemented. The system shifted from hard-coded `if` statements to a more dynamic approach, driving decisions from an endpoint. This new system uses a base object with required user points and modifies it based on affiliate networks and store-specific values, making the standown logic more robust and controllable via JSON.

Discovery of JavaScript-in-JavaScript Engine
00:10:16

A surprising discovery in Honey's code is an entire JavaScript-in-JavaScript engine, including a JavaScript parser (Acorn) and a virtual machine (Vim engine). This apparatus allows Honey to execute remote code in an obfuscated manner. While the speaker wasn't able to trigger the execution, the setup suggests the capability for highly dynamic and potentially hidden operations, possibly to evade detection by ad blockers or other extensions, bypassing Google's Manifest V3 restrictions on `eval`.

Conclusion: Highly Complex and Obfuscated Engineering
00:13:32

The speaker describes Honey's engineering as the most complex and unusual they have ever encountered. Although the purpose of the JavaScript-in-JavaScript engine is unclear, it appears to be a sophisticated method for obfuscating code execution and dynamically controlling the extension's behavior. The standown rules are robust and controlled on a per-store, per-provider, and per-user basis via JSON, indicating a deliberate and evolving system.

Recently Summarized Articles

Loading...