Is Honey: Automated Coupons & Rewards safe to use?

Honey: Automated Coupons & Rewards has a risk level of CRITICAL with an overall risk score of 9.1/10. Our scan detected 148 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does Honey: Automated Coupons & Rewards request?

Honey: Automated Coupons & Rewards requests the following permissions: alarms, cookies, storage, unlimitedStorage, scripting, webRequest, offscreen. It also requests host access to: http://*/*, https://*/*.

What is Honey: Automated Coupons & Rewards's risk score?

Honey: Automated Coupons & Rewards has an overall risk score of 9.1/10 (CRITICAL). Breakdown: Permissions 10.0/10, Code 10.0/10, Combinations 10.0/10, CSP 1.0/10.

ExtSafe

Honey: Automated Coupons & RewardsSecurity Analysis

Chromev19.0.3MV3February 16, 2026 at 02:20 PM

Known Security Incidents(1)

High2024-12Resolved

Affiliate link hijacking

Investigation revealed Honey was secretly replacing creator affiliate links with its own, diverting commissions from content creators who recommended products.

View source →

9.1CRITICAL

9.1 CRITICAL

This extension shows critical risk indicators. It requests highly sensitive permissions combined with suspicious code patterns. Proceed with extreme caution.

Based on 9 permissions including high-risk ones, 143 code findings, 3 dangerous combinations.

Dangerous Combinations(3)

CRITICALCookie access + external network

Extension has cookie access and sends data to external servers — potential session token theft.

cookies+external network request

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

10.0/10

Code

10.0/10

Combinations

10.0/10

Manifest/CSP

1.0/10

Permissions(9 analyzed)

Code Findings(21 patterns, 143 total)

Libraries(7 detected)

7 libraries detected

Content Security Policy

CSP Present(1 issue)

LOW

object-srcobject-src not restricted

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

Manifest Analysis(0 findings)

Resolved from __MSG_* i18n placeholders:

Name: Honey: Automated Coupons & Rewards

Description: Save money and earn rewards when you shop online.

No manifest-level concerns found.

External Domains(76)

${eadamwdraper.github.comapps.apple.comcdn-checkout-staging.joinhoney.comcdn-checkout.joinhoney.comcdn.honey.iocdn.joinhoney.comcheckout.checkout.prettylittlething.comd.joinhoney.comdash.joinhoney.comeniva.comevilmartians.comextension.joinhoney.comfb.megithub.comgoo.glhelp.joinhoney.comhoneyscience.github.ioimages-na.ssl-images-amazon.comjedwatson.github.iojoinhoney.onelink.mejquery.comjquery.orgo.honey.ioo.joinhoney.como197999.ingest.sentry.ioopenexchangerates.github.ioout.joinhoney.compartners.nationalcar.complay.google.comprd-east.webapi.nationalcar.comprd-west.webapi.nationalcar.comreactjs.orgredsky.target.comregex101.comsentry.ioshop.coles.com.autest.joinhoney.comv.joinhoney.comwww.adidas.comwww.ae.comwww.amazon.cawww.amazon.co.ukwww.amazon.comwww.amazon.com.auwww.avis.comwww.bathandbodyworks.comwww.budget.comwww.cvs.comwww.etsy.comwww.example.comwww.expedia.comwww.facebook.comwww.fitflop.comwww.forever21.comwww.hammacher.comwww.homedepot.comwww.instagram.comwww.joinhoney.comwww.kardiel.comwww.kohls.comwww.loft.comwww.nationalcar.comwww.orbitz.comwww.paypalobjects.comwww.petsmart.comwww.pinterest.comwww.prettylittlething.comwww.sephora.comwww.twitter.comwww.vitacost.comwww.w3ctech.comwww.walmart.comwww.woolworths.com.auwww2.hm.com