← Back to notes

    I Read Honey's Source Code

    2025-01-16

    A developer reverse-engineered Honey's Chrome extension source code to investigate allegations of affiliate commission theft, popularized by MegaLag's exposé videos.

    tldr

    • Honey has "stand-down" logic to not poach affiliate commissions - but it's selectively bypassed for loyal users with points
    • stand-down system evolved from hacky hardcoded checks (2019) to a sophisticated, server-controlled config system (2024+)
    • tests showed stand-down worked for guests but failed for logged-in users with cashback points - intentional design
    • extension contains a bizarre embedded JS-in-JS VM (Acorn parser + custom interpreter) for heavy obfuscation
    • code shows deliberate, ongoing improvements to what critics call a fraudulent system - not abandoned bugs

    stand-down policy

    • affiliate networks require extensions to "stand down" when users arrive via someone else's affiliate link
    • prevents poaching "last-click" commission from influencers/marketers
    • Honey has had this logic built in since early versions

    evolution of stand-down code

    • 2019-2022: hardcoded checks (provider-specific if-statements, funny edge cases like "stand down if email contains 'test'")
    • 2024+: refactored into dynamic, server-controlled JSON config system
    • config overrides behavior based on: user points balance, affiliate network, specific merchant
    • non-logged-in / low-points users have absurdly high thresholds (~65k points) to override stand-down
    • effectively forces stand-down for guests, but not for loyal paying users

    the smoking gun

    • tests showed stand-down triggered for zero-point/guest accounts
    • but failed to trigger for logged-in accounts with accumulated cashback points
    • suggests intentional, selective bypassing for paying users
    • not bugs - actively improved and made more robust over time

    the embedded js vm

    • Honey contains a JavaScript-in-JavaScript interpreter (Acorn parser + custom "VIM" virtual instance manager)
    • can parse and run JS code strings (sometimes fetched or embedded)
    • references to "cart ops retrieval.js" that look like injectable JS
    • not obviously triggered in normal use - creator couldn't hit breakpoints
    • likely purpose: bypass ad blockers, other extensions, or Manifest V3 restrictions on remote/eval code
    • described as "one of the most bizarre, over-engineered things" in an extension

    bigger picture

    • aligns with 2024-2026 Honey scandal: MegaLag videos, class action lawsuits from influencers (LegalEagle, Wendover)
    • Rakuten cut Honey in 2026 over these practices
    • code analysis supports claims of intentional, evasive design - not innocent bugs
    • engineering is "robust" - actively enhanced, not abandoned cruft