Extra caution is recommended when installing recently uploaded/updated scripts (read more)
Be sure you trust any scripts you install
Screen Userscripts
Screens greasemonkey userscripts to make sure they don't steal cookies (or, in the future, do other bad things either). [UPDATED!][Bug Fix](please update your Screen Userscripts)
md5: abc4c03395c43f8bb8c51d07500c8e87
sha1: 9c4805c92197c152920d4c8554c4058a2e03d284
If you are browsing userscripts on userscripts.org, you will notice a big red banner at the top warning you about malicious, cookie stealing, userscripts. The good folks at userscripts.org, however, have been doing great work to keep these from being uploaded.
Just in case any get don't get caught right away, you can install Screen Userscripts to warn you if you're about to install a malicious script. The other beauty of Screen Userscripts, is that it works on all sites; not just userscripts.org. So if you download one from somebody's blog or something, you'll still be warned.
At current, Screen Userscripts only warns about cookie stealing scripts, however in the future, I hope to keep it updated to protect against other malicious scripts.
You can check the md5 sum (or sha1 sum, if you prefer) listed above against that of this script, to make sure you don't have a possibly insecure version. I usually use MD5summer. As I make updates to the script, I will update the md5 and sha1 sums.
##You can try this script out at http://www.efoxdesigns.com/max/downloads/Screen Userscripts/
##Screen Userscripts warns you by popping up a message on any page that links to a userscript(s) that may be malicious. Also, if you hover over a link to a script (such as "Install this script"), a message will appear warning you not to install that script.
##Suggestions can be sent to maxATefoxdesignsDOTcom. (This link will go to your gmail or yahoo mail composer if you have Mailto 2 Webmail installed.)
[UPDATED] You now have the option of being asked whether or not to automatically scan userscripts, or be asked first.
[again] The original update (above) was kinda sketchy, and has been streamlined. Also, you can set a threshold number of scripts on a page to be auto-scanned, before Screen Userscripts asks you if you really want to scan all of them.
*Performance Note: depending on the number of scripts on a page, scanning may take a few seconds, during which your browser will freeze.
[...and again] It's here! This is pretty much the final update, aside from "virus definition" updates. This update allows you the option to have Screen Updates notify you of future updates (by setting checkForUpdate). This notification will only appear when you visit userscripts.org, and will not show up again once you've clicked it.
[EDIT] The update system doesn't quite work yet, actually. I hope to have it fixed soon.
[Bug Fix] When Screen Userscripts scanned a userscript, it incremented the install count for that script. That bug has been fixed. Install counts will no longer be affected by Screen Userscripts. The functionality of Screen Userscripts has not changed, however. :) Thanks for the help, Descriptor.
You could comment on this script if you were logged in.
login to vote
RE:
"How do you check an MD5 sum?"See the part about checking the md5 sum in the description above. (About 5 paragraphs down.)
-Max
login to vote
How do you check an MD5 sum? I'm not sure, but do we download the MD5 sum from http://www.efoxdesigns.com/max/downloads/Screen Userscripts/ after we install Screen Userscripts?
login to vote
I am thankful for this script. People like me who are not experts in javascript can have at least a small level of defense against malicious codes.
login to vote
So, for those of you wondering, there is a bug in the current downloadable version of this script, that I haven't had time to fix yet. Basically, what happens, is that when you upgrade to this version, you will get a message saying that you don't have the current version, when, in fact, you do. All you have to do is click the box, to ignore it forever. (Until, possibly a new version comes out.)
I might not fix this bug until the next version. However, if people email me, expressing an interest in a fix sooner than that, then I will take a look at it.
Regards,
Max max(AT)efoxdesigns(DOT)com
login to vote
I'm with Lucanos on this. It's pretty easy to come up with some convoluted expression that yields
"document.cookie"and then pass it toeval. It's not that you shouldn't try, but users need to know that there is no guarantee something won't slip through.login to vote
An interesting concept - I have had a look at the code (I am no PHP or JavaScript expert, I should point out), but looking for strings which contain "*.php?cookie=*" seems pretty easy to work around - I'd simply change the variable name to "c", or not bother naming it at all.
A simpler (and admittedly, possibly easier circumvented) technique may just be to scan for the string "cookie" inside the script.
Just an idea...
login to vote
Very nice, I like it :D
login to vote
Yes, and they do. Screen Userscripts works on other sites besides us.org, such as this script's homepage
Also, in the future, Screen Userscripts will hopefully be able to screen against other malicious scripts.
-Max
login to vote
If it's possible to scan userscripts for cookie stealing, couldn't us.o do that on their end and flag scripts?
login to vote
<font><table><tbody><tr><td>
</td><td>It's great script
but it's slow down firefox
but it's worth for me to use it,anyway
.....Geranun......
</td></tr></tbody></table></font>
login to vote
while this is a valiant effort, the MD5 and SHA1 sums do not provide any additional authenticity verification. if the author of this script were to fall victim to a cookie-stealer script that compromised his USO account, the MD5 and SHA1 sums could be spoofed as easily as this script itself.
login to vote
Nice one!
login to vote
(By the way, Gasoline, even though the scan button does not appear on the description pages, they are still being scanned. It's just automatic.)
login to vote
Yeah, that's one of the features you can configure. Just set
thresholdto 0, OR setautoScanto false, if you want it to ask on the description page.thresholdis the number of script links on a page that Screen Userscripts will automatically scan. If the number of userscript links on a page is higher than threshold, Screen Userscripts won't auto-scan any, but will show the scan button instead. If you setautoScanto false, Screen Userscripts will never automatically scan userscripts, but will display the scan button instead. (Please see the [Update] notes in the description for release information.)Regards,
-Max
login to vote
Ok, the new fetures works, great!
but (jea, again :P)
i think not to scan all scripts on the page, then i go into the script itself, and the "scan-button" disappear.
(after the search, you got 100 scripts, you show one, to intsall it, but then the button from screen userscript ar gone. you know, the page where you can install scripts with this button.)
login to vote
All 'problems' thus far (I'm talking about those in the comments below) have been fixed.
autoScanandthresholdoptions have been added. Enjoy!login to vote
Done. You now have the option to automatically scan, or be asked. (Another update is coming soon.)
login to vote
Same problem here as Gasoline- had - it slows down firefox way to much to use it.
I am using firefox in ubuntu and it just flashes dark for 5-10 seconds (if not more) - all the browssing (tabs) are also freezed
login to vote
so, ok. ill testet this script
it worked on your testpage, nice!
buuut:
if you got e few scripts on a page (eg search on userscripts for scripts) then the script slows down your computer really much (crash firefox).
featurerequest:
build a button, which the user can press to check the actual homepage/script, or just run your script if someone want to install a script.
i would say, its a featurerequest on greasemonkey addon itselft, they should check the scripts and warn you if the script you will install is malicious. ....
(sorry for my bad englisch ;)
login to vote
Let me try it :D