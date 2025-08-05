-
Yesterday I discovered the "Paypal Honey: Automatic Coupons & Cash Back" extension was present on my linux Vivaldi (7.5.3735.54 (Stable channel) stable (64-bit)) being used on Gentoo Linux.
I am extremely concerned about how and why this happened. I have not recently installed any extensions or given any authorization to any popup soliciting permission to install an extension.
Honey is currently under heavy litigation after it was discovered they are stealing commissions from referral links from content creators. This video discusses the controversy from a legal perspective. I'm someone who follows and supports content creators and have used content creator referral links to support the channels, so although I have never used Honey myself, I am nevertheless utterly disgusted by it. Automatically stealing from small creators who are trying to just get by while sharing their passions with us, absolutely vile.
So imagine my absolute horror seeing it mysteriously appear on my browser on my Linux system.
I am trying to figure out how this could have possibly happened.
@aecfxi I fear a different extension or Linux app has loaded it.
Vivaldi does not add any extensions without your consent from Google Web Store.
You should upgrade your Vivaldi to 7.5.3735.58 to stay safe without security holes.
Looks like this extension was installed on both of my Gentoo linux systems, desktop and laptop...
No other unwanted extensions were present on either system though.
Laptop probably got it from being sync'd with desktop Vivaldi, since all other extensions are clearly synced.
Uninstall and then reinstall of Vivaldi using Gentoo emerge with ~/.config/vivaldi being left intact did not result in Honey reappearing.
I use Gentoo's package repository, a few private Gentoo repositories for a few packages not carried in the main repository, only two AppImages (LycheeSlicer and NexusMods). I recently introduced AdGuard-DNS to my network. Other than these things, my system is absolutely locked down. So this is very strange.
Is this a known vulnerability of Chrome extensions, that a Chrome extension that is or becomes malicious can cause another extension to be installed?
The ID of the unsolicited Honey extension was bmnlcjabgnpnenekpadlanbbkooimhnj, which is the same ID as the main Honey extension.
Can an installed extension that was initially something unrelated that then got purchased by Honey morph itself into Honey and change it's extension ID as well? This seems counter-intuitive to the notion of a specific extension ID, but I am struggling to find any explanation for this.
@aecfxi I don't think an extension can install another extension, that would be a mess.
However, malicious/adware software can definitely do so, for instance by enabling browser policies that auto-install an extension for users.
Most likely some software package recently installed did this.
Since Honey is owned by Paypal, did you for instance install any Paypal "apps"?
Check your
chrome://policypage just in case.
Oh, excuse, i did a typo.
Should read: I fear a different extension/plugin of a Linux app has loaded it.