00:00:00(keyboard clicking)
00:00:03So I wanted to take a look at this big Honey scandal
00:00:12that's going on.
00:00:12If you're not familiar with Honey,
00:00:13Honey is one of those coupon Chrome extensions,
00:00:16which means all of its code is available for me to look at.
00:00:19And so I can take a look at the things
00:00:22that are being alleged in these YouTube videos
00:00:24and I can actually see, is this happening?
00:00:26But more so when it comes to extensions,
00:00:28I can actually look over time and see,
00:00:31were these bad decisions being made
00:00:34and have software engineers made alterations
00:00:37to not only continue on,
00:00:39but make these bad behaviors even better and more robust?
00:00:44Yes, yes they have.
00:00:45And I'm gonna show you how that's happened.
00:00:47But I know there's plenty of you
00:00:48that probably have no idea what's going on.
00:00:50You're not really even familiar with Honey.
00:00:52And so you don't, you have never really been caught up.
00:00:55This actually involves a very specific operation
00:00:58of Honey that I want to go over.
00:00:59So we're actually gonna watch a three minute excerpt
00:01:01from this latest Honey reveal video.
00:01:05And then I'm gonna talk about going through the minified code
00:01:08and exactly what I found and the intent behind it,
00:01:11which is a bit surprising.
00:01:12Now, if there's one thing people hate more than deception,
00:01:14it's theft.
00:01:15And in my first video,
00:01:16I showed you how Honey was stealing money from influencers.
00:01:19But what I didn't tell you is that this behavior
00:01:22is in most cases, strictly not allowed.
00:01:24You see, the companies that run this industry,
00:01:26the affiliate networks,
00:01:28know full well that coupon extensions like Honey
00:01:30have a high probability of poaching commissions
00:01:33from influencers, bloggers,
00:01:34and other content driven affiliates.
00:01:37More importantly, they also understand that this is not fair,
00:01:40especially under the last click wins policy,
00:01:43which has remained an industry standard.
00:01:46So to prevent this type of commission theft,
00:01:48most major affiliate networks enforce what's known
00:01:51as a stand down policy.
00:01:53Let me show you what that looks like on Honey.
00:01:55Let's visit newegg.com first without an affiliate link.
00:01:58And as you can see,
00:01:59Honey immediately pops up offering cashback.
00:02:02But if we do this again,
00:02:03this time using my affiliate link for Newegg,
00:02:05you'll notice that Honey doesn't pop up at all.
00:02:08And if we click on the Honey icon,
00:02:10you can see that Honey is now disabled.
00:02:12So that's how Honey is supposed to behave
00:02:14when a user's already clicked
00:02:15on someone else's affiliate link.
00:02:17So where then is the alleged fraud, you ask?
00:02:19Well, as it turns out,
00:02:21Honey has always had a stand down system
00:02:23built into their app,
00:02:24but they have been selectively choosing
00:02:26when and whom to apply the rules.
00:02:28Let's test my affiliate link for Newegg again.
00:02:31Only this time I have two entirely separate Chrome browsers
00:02:34open at the same time,
00:02:36and each is logged into a different Honey account.
00:02:38The Honey account on the left has zero cashback points,
00:02:41while the Honey account on the right
00:02:43has accumulated cashback points.
00:02:45Now, what's what happens when I open
00:02:46the Newegg affiliate link on both browsers?
00:02:49The Honey account on the left stands down
00:02:51as it did the first time.
00:02:52But look at this, the account on the right,
00:02:54which has cashback points, did not stand down.
00:02:58So why is that?
00:02:58So this is the thing that I wanted to test.
00:03:01I wanted to go through this because this is code.
00:03:03I can understand code.
00:03:04I can look at the JSON that's coming down
00:03:07and I can understand it.
00:03:09Not only that, but the power of AI
00:03:11will allow me to search through minified code
00:03:13at speeds unbeknownst to me
00:03:16just throughout my entire programming universe.
00:03:18So what we did is that we first got a bunch of versions
00:03:21of Honey.
00:03:22So the ones that I kind of went through
00:03:23were starting from about February, 2019,
00:03:25all the way up until present day, 1901.
00:03:28And with that, what I wanted to do is go,
00:03:30okay, first off, is this like user point
00:03:33kind of deciding when to and when not to show
00:03:36the stand down menu, does it exist?
00:03:38Yes, it does quite exist.
00:03:40But the real question was, had it like changed?
00:03:43Because I worked at a big, I've worked at a big company,
00:03:45right, you've worked at a big company,
00:03:46I'm sure you have, or some of you have,
00:03:48and you know that sometimes code just sticks around.
00:03:50You know, it's like whoopsie poopsies,
00:03:52it's just still there, no one's changed it in five years,
00:03:54that's just the way it is.
00:03:55And that's kind of what I was looking for,
00:03:57which is, did the code stick around?
00:04:00Or has there been changes that were significant?
00:04:03Not like little bug fixes.
00:04:05All right, so to avoid being copyrighted,
00:04:07'cause apparently PayPal lawyers will copyright,
00:04:10hit them with the DMCA, anyone that actually shows the code.
00:04:13That means I have to do this weird charade dance
00:04:15on the old blackboard to show you what was happening.
00:04:18So starting in version 11, remember, which is about 2019,
00:04:22this version did have the stand down logic.
00:04:25It did even have things that were called
00:04:27SSD stand down logics.
00:04:29It matched the JSON file that comes down
00:04:31with a bunch of data.
00:04:32Here is my stand down of a user
00:04:35that's like not logged in at all, the most basic stuff.
00:04:38In here, you can see UP is user points.
00:04:41ADB is like add block last time used.
00:04:45There's also is account logged in.
00:04:47And there's some other fields
00:04:48that seem to crop up every now and then.
00:04:50So what's interesting is in 2019 under version 11,
00:04:53things often looked like this.
00:04:55There's like a giant switch statement
00:04:57that ended up having these cases where it's just like,
00:04:59okay, hey, do we test for an email?
00:05:02And yes, it literally had a string.
00:05:04Does this email contain test?
00:05:06Then always stand down, which by the way, shady.
00:05:10It's avoiding these link testing accounts to come in
00:05:13and be have like link share test to go see
00:05:15does this actually work?
00:05:16Because let's just face it,
00:05:17who here hasn't had a tester account
00:05:19that does not contain the test?
00:05:20I most certainly have.
00:05:22But nonetheless, this right here was an explicit check.
00:05:24If you have the word test in your email anywhere,
00:05:27it will disable you.
00:05:29But more so that, I mean, this was already talked about,
00:05:31but more so the things that were really confusing
00:05:32is it go through a series of checks and it would be like,
00:05:35hey, is the provider that is currently active equal to LS,
00:05:39which is link share?
00:05:41If it is, I want you to apply these exact rules.
00:05:44And then later on, it had this check where it go through
00:05:47all the rules that have figured out,
00:05:49and then it'd go one by one in a little for loop
00:05:51going through each one of these rules and checking,
00:05:53do any of them fail?
00:05:55If any of them fail, it would stand down.
00:05:57So this was a fairly kind of hard coded process,
00:06:00as you can see, because there was like literal line
00:06:01saying like, if link share, do this action.
00:06:06If we're in this other provider, do something else.
00:06:08Now I of course have been on many, many of projects
00:06:11where this kind of stuff just happens.
00:06:12This is totally normal.
00:06:14You start off where you're like, okay, hey,
00:06:15we might have one or two providers and that's that.
00:06:18So I'll just put a little couple of hard code edge cases
00:06:20in here and we'll just make sure things get taken care of
00:06:23in a certain way.
00:06:24We stand down for some amount of duration,
00:06:25which by the way, was not a very long part.
00:06:27You should watch MegaLegs video to find out exactly
00:06:30how just awful the rules actually were.
00:06:34But again, my goal is to go, okay,
00:06:36did they make changes to the code where they're bug fixes?
00:06:39What happened?
00:06:39Well, this is where things get a little bit confusing
00:06:42'cause between the versions 11 through 14,
00:06:45which I believe is all the way up until 2022, yes, 2022,
00:06:49things remained pretty much a constant.
00:06:52Nothing really changed, a little bit of edits,
00:06:54nothing to really show much.
00:06:56But starting around, I believe in version 16,
00:06:58so in 2024, there was a robust refactor made
00:07:03such that they can drive a lot of these decisions
00:07:05from an endpoint in Honey.
00:07:07Now this endpoint sends down an object that looks like this,
00:07:09that has this base value, then it has these values,
00:07:14then it has these values under X.
00:07:16So that means the previous version,
00:07:18it used a bunch of series of if statements
00:07:20to kind of determine the type of behaviors
00:07:22that it wanted to do.
00:07:23And then it would do rule evaluation to see,
00:07:26did this rule actually pass?
00:07:28Did we actually get out a true or a false?
00:07:30But in version 16, they decided to go a bit more intense
00:07:34when it comes to software engineering.
00:07:36Now we all know what do you do
00:07:38whenever you have a bunch of if statements
00:07:40that are kind of doing this like wrapping of data
00:07:42and kind of doing a basic mutation on an object?
00:07:45Well, you would wanna drive it through some sort of config.
00:07:48You'd wanna drive it through something
00:07:49that is a bit more dynamic to make it a little bit easier.
00:07:52And that's exactly what they did.
00:07:53So if we go back here and look at the data
00:07:55that is coming down from me, a non-logged in Honey user,
00:07:58you will see right here is that I have a base class.
00:08:00This base class will become the base object
00:08:04for how Honey determines.
00:08:05Right now for this non-logged in user base class,
00:08:08I require 65,000 user points for Honey to not stand down.
00:08:13If I have less than 65,000 points,
00:08:15remember I'm not logged in so I have zero points,
00:08:17it will say, sorry, I'm standing down.
00:08:18I'm avoiding this.
00:08:20Now, when it gets that base,
00:08:22what it then does is it checks how did it get here?
00:08:25Where did we get here?
00:08:27Why did we get here?
00:08:28And it does the next check, was this from one
00:08:30of these affiliate networks?
00:08:32And then it will start wrapping things.
00:08:33So, okay, so if I come from a link share place,
00:08:35it will now only make my points required 5,001.
00:08:39It will edit this base object.
00:08:41It's actually doing the better,
00:08:43more sophisticated engineering.
00:08:44It's not a series of hard-coded if statements anymore.
00:08:48Instead, it's doing an actual, hey, take dot base.
00:08:51Then I want to say, do you have my provider?
00:08:55If you have my provider, I want to spread in my provider's
00:08:58values or just an empty object.
00:09:01And then it did something even more wild,
00:09:03which is all of these right here under X.
00:09:07These are all store specific values.
00:09:09Then it would check, hey, whatever store I'm currently in,
00:09:13I also want to put on those values as well.
00:09:16And then it would go and do the basic rule logic,
00:09:20showing that it's not anymore under some sort
00:09:22of maintenance mode.
00:09:23It's showing that it's no longer kind of this hard-coded
00:09:26hacky thing that's been existing for like a decade.
00:09:29Instead, they went from that.
00:09:31And in 2024, they said, you know what?
00:09:33We need to be more robust and we need to be able
00:09:36to make more decisions about more stores and more providers
00:09:39in a more kind of easier to maintain fashion.
00:09:43This was software engineering people and they did it.
00:09:46So when I look at this, what I see is that over time,
00:09:49they have made changes to make their system better,
00:09:52which means that there is an intent behind it.
00:09:54They want to keep whatever the system is doing,
00:09:57whether it is or is not fraudulent.
00:09:59I cannot say that's for somebody else to decide,
00:10:01but I can at least say that their decisions have been
00:10:04to make it more robust and better.
00:10:07And given the fact that the general perception of this system
00:10:10as being pretty shady,
00:10:11they've made their pretty shady system much, much better.
00:10:16But that's not all I found.
00:10:17I found something else that kind of piqued my interest.
00:10:19I kept seeing the word VIM that just kept popping up.
00:10:23Now I'm like, VIM, what is the text editor doing?
00:10:26When I asked Claude Cote about it, it actually said,
00:10:29hey, you're talking about the VIM instance manager
00:10:32that's been found inside of a Honey?
00:10:34And I was like, VIM instance manager.
00:10:35Okay, that can't be it.
00:10:37That is not it.
00:10:38And then as I started looking at this,
00:10:40what I ended up seeing is that there is an entire JavaScript
00:10:45in JavaScript engine that runs inside the Honey plugin.
00:10:49Now, this is absolutely the strangest thing I have ever seen.
00:10:54I tried to do some reading up on it.
00:10:56I'm not a plugin developer expert when it comes to Chrome.
00:10:59So I had no idea why anyone would ever run JavaScript
00:11:04in JavaScript.
00:11:05But what Honey does is it actually has Acorn,
00:11:09which is a JavaScript parser and produces an AST
00:11:12from valid JavaScript.
00:11:14And it takes this, evaluates JavaScript,
00:11:17and then feeds it into this VIM engine.
00:11:19Now there's several references within the code
00:11:22that actually refer to this other object
00:11:24called cart ops retrieval JS and product ops retrieval JS,
00:11:28which sometimes is not null, actually contains code.
00:11:31And it also refers to this JS code,
00:11:33which is also not null sometimes, like right here,
00:11:36it's actual real JavaScript.
00:11:38But as far as I could tell,
00:11:39it's not actually executing any of this code.
00:11:41I tried to set some breakpoints.
00:11:42I never actually got to the point of making a trigger,
00:11:45but nonetheless, this does exist.
00:11:47They have the apparatus set up
00:11:49to be able to execute remote code on your machine
00:11:52based on whatever returns from Honey
00:11:54in a very, very obfuscated way.
00:11:57This JavaScript in JavaScript,
00:11:59they have a JavaScript parser.
00:12:00They have a JavaScript virtual machine.
00:12:03It is actual JavaScript in the JavaScript.
00:12:06But they also have this one section
00:12:08that there's just all of these stringified functions.
00:12:11And there are a bunch of inlined JavaScript
00:12:13that's just filled with ways
00:12:15in which they search through pages and stuff like this.
00:12:18But those ones come down with the product.
00:12:22So they're not technically against
00:12:24the old Google terms of service.
00:12:26'Cause if you look at the additional requirements
00:12:28for the manifest V3 for anyone that's doing this,
00:12:30is you should not be allowed to use JavaScript eval.
00:12:33Okay, so we're not gonna do that.
00:12:34We're not gonna eval.
00:12:35What we're gonna do is we're gonna hard code some operations
00:12:38we don't want other plugins know we're doing.
00:12:40And then we're gonna incorporate an entire JavaScript engine
00:12:44to run them to further obfuscate what we are doing.
00:12:47Which is funny because this V3 right here,
00:12:50it seems like it was designed for Honey specifically
00:12:52'cause it says building an interpreter
00:12:54to run complex commands fetch from a remote source,
00:12:57even if those commands are fetched as data.
00:12:59So they get around it.
00:13:00These aren't remote things.
00:13:01These are strings that are actually available
00:13:03within the Honey extension.
00:13:05But man, this is some obfuscation.
00:13:07This is some weird stuff.
00:13:09I cannot personally understand a single reason
00:13:12why this is actually happening.
00:13:14Like I said, apparently it's due to interactions
00:13:16with other extensions, other extensions being ad blockers.
00:13:19Apparently ad blockers might ad block the Honey extension
00:13:22if it directly runs certain functions,
00:13:25but somehow through this weird interpreter,
00:13:27it's able to actually run stuff
00:13:29that is getting avoided to be caught.
00:13:31I don't know, but it seems like a cluster festival to me.
00:13:33And I found this to be very, very interesting
00:13:35'cause I've never done any sort of reverse engineering.
00:13:37I've never really looked through someone else's source code,
00:13:39especially minified source code.
00:13:41I just wanted to show you guys this.
00:13:42This is perhaps the most unusual engineering
00:13:45I've ever seen in my lifetime.
00:13:46I've been a part of code bases
00:13:48that have 10 plus thousand lines long
00:13:50of weird state machines and are impossible to work with,
00:13:53hard to reason about, but this has to take the cake.
00:13:57This has to be the most complex, weirdest contraption,
00:14:01Rube Goldberg level I have ever seen.
00:14:03But furthermore, the dynamic rules
00:14:05for doing the stand down stuff,
00:14:07they're robust.
00:14:08Whatever the purpose is, whether it is or isn't fraudulent,
00:14:11it has been designed to be dynamic
00:14:14and to be controlled via JSON on a per store,
00:14:17per provider and per user basis.
00:14:19But anyways, I want to give a special shout out to Magalega.
00:14:21It was really awesome.
00:14:22I got to chat with him.
00:14:23He helped me a little bit kind of looking through some stuff.
00:14:25So big shout out to him.
00:14:26You should definitely check out the video.
00:14:27It's in the description.
00:14:28It's super well done.
00:14:29There are multiple of them
00:14:30and I recommend you watch them all.
00:14:32They're very, very good.
00:14:33Also, do you like this thing that I did?
00:14:35Do you like this format?
00:14:36I don't know.
00:14:37This is kind of new.
00:14:38This is just me spending some time on stream,
00:14:40having fun and then reporting back to you.
00:14:42If you were on stream, you would have saw this happen live.
00:14:44Could have been a lot more fun for you.
00:14:45The name is I'm not a reverse engineer,
00:14:49but this was a lot of fun.
00:14:50I can see why people do it.
00:14:51A gen.
00:14:52Hey, is that HTTP?
00:14:55Get that out of here.
00:14:56That's not how we order coffee.
00:14:57We order coffee via SSH, terminal.shop.
00:15:00Yeah, you want a real experience?
00:15:02You want real coffee?
00:15:03You want awesome subscription
00:15:04so you never have to remember again?
00:15:06Oh, you want exclusive blends with exclusive coffee
00:15:10and exclusive content?
00:15:12Then check out CRON.
00:15:13You don't know what SSH is?
00:15:14Well, maybe the coffee's not for you.
00:15:18♪ Terminal coffee in hand ♪
00:15:22♪ Live in the dream ♪