I discovered three security issues in the Honey coupon app / browser extension leading to user information leaks and privacy issues. This is the full report sent to them on Feb 13, 2018. (see update at the end of the document)
Issue 1: Information Disclosure via Permissive CORS headers
The rest route used to get the current user information has overly permissive CORS (Cross Origin Resource Headers) which allows any site to read this information.
POC:
Description:
The url: https://d.joinhoney.com/users
Responds with: Access-control-allow-credentials: true Access-control-allow-origin: * This allows any site to make a remote request to this URL and collect the information of the returned:
{
"id":"7959829026355562085",
"email":"[email protected]",
"email_confirmed":false,
"has_password":true,
"has_image":true,
"image_url":"//storage.googleapis.com/honey-user-images/7959829026355562085.png",
"name":"Matt Austin",
"firstName":"Matt",
"lastName":"Austin",
"bio":"Some more info..",
Steps to Reproduce
- Make sure you are logged in to Honey
- Visit https://maustin.net/hax/honey/ (this information could be collected and stored by the remote site but is not in this demo.)
Remediation Advice:
Only allow requests from the chrome extension or your own domain.
Issue 2: Information Disclosure via Chrome Extension DOM
Customer information is leaked into the DOM of any page when using the Honey Chrome extension.
POC:
Description:
When the user clicks on the Honey icon the chrome extension (potentially FF / the others others?) injects itself into the DOM of the page. This page can then interact with the DOM elements to get customer information to load and read / store / collect it.
The POC does the following:
- A MutationObserver is used to wait for a div with an id of “honeyContainer” to be created.
- After a few seconds we can access the new containers “shadowRoot” and forces a click on the profile icon “corner:Main-Profile”
- Next we click on the “Account” “link-1” tab
- It then reads the now displayed data from dom.
Steps to Reproduce
- Browse to https://maustin.net/hax/honey/poc2.html
- Click on the Honey icon (h) from chrome menu bar.
- Notice the page can read and re-render this information. (this information could be collected and stored by the remote site but is not in this demo)
Remediation Advice:
If possible use the standard BrowserAction.default_popup in chrome to prevent modifying the DOM at all. If not the extension should embed an iframe into the page and modify its contents and let the browsers SOP (same origin policy) block access to the dom elements. (much the way lastpass works).
Issue 3: Open File Listing for all Customer Images (note)
All user uploaded profile pictures are avaible in a public cloud bucket that was browsable from the web.
Description:
The URL https://storage.googleapis.com/honey-user-images/ appears to be a listing of all users uploaded photos. Although these are the “profile” photos of users I am not sure this was intended to be left open to the public.
Update:
All issues were reported to Honey via email on Feb 13, 2018. There was an initial reply Thanking me for the information and offering a bounty:
Unfortunately after giving them the information I received no reply. I did not expect a bounty or ask for one, I was simply trying to share informaiton with them. I tried to follow up asking if they received the information. After two months howeve, Honey silently fixed the issue, and never replied to my emails about the issues.
With the amount of data this extension collects and the carelessness they seem to have around privacy and user data I would not recommend anyone install (or remove if currently installed) this extension.