I did not expect the #Honey browser extension to provide great privacy. Still, finding four (!) different mechanisms allowing the Honey server to run arbitrary code on any website exceeded my expectations by far. It even uses AES for obfuscation.
https://palant.info/2020/10/28/what-would-you-risk-for-free-honey/
“Why did they even bother with this complicated approach? Beats me. I can only imagine that they had trouble with shops using CSP in a way that prohibited execution of arbitrary scripts. So they decided to run the scripts outside the browser where CSP couldn’t stop them.” #Honey
“Are you saying document.querySelector()? No, guess again. Is anybody saying jQuery? Yes, of course it is using jQuery for extension code as well! And that means that every selector could be potentially booby-trapped.” #Honey
“This time, there is no point decoding the base64-encoded data: the result will be binary garbage. As it turns out, the data here has been encrypted using AES, with the start of the string serving as the key.” #Honey
“So here is a mechanism, providing the server with a simple way to run arbitrary JavaScript code on any website it likes, immediately after the page loads and with sufficient obfuscation that nobody will notice anything odd. Mission accomplished?” #Honey
“And so the Honey extension also has [obfuscated JavaScript] VIM code that will run in the context of the extension’s background page. It seems that the purpose of this code is extracting user identifiers from various advertising cookies.” #Honey
“… this allows it to load any script from PayPal at will. These scripts will be able to do anything that the extension can do: read or change website cookies, track the user’s browsing in arbitrary ways, inject code into websites or even modify server responses.” #Honey
“On a side note, I couldn’t fail to notice one more interesting feature not mentioned in the privacy policy. Honey tracks ad blocker usage, and it will even re-run certain tracking requests from the extension if blocked by an ad blocker. So much for your privacy choices.” #Honey
“Edit (2020-10-28): As @hfiguiere@twitter.com pointed out, extensions acquire this Verified badge by paying for the review. All the more interesting to learn what kind of review has been paid here.”