Cookie Stealing Scripts

in discussion
Subscribe to Cookie Stealing Scripts 209 posts, 115 voices

pandaking User

Yea, I think a system similar to the digg comment system would be good, so you can give it a thumbs up or a thumbs down, and if x amount of people give it thumbs down (or a certain percentage) then it's buried, or I guess just marked as "possibly bad", and then you admins can check all the "bad" ones.

Also, as someone with lots of scripts installed, could some just tell me exactly what I need to do to make sure none of the ones I have installed are "bad".

Descriptor Scriptwright

We already have a de facto system that points out when users really like a script: the favorites.
I guess you ignored the part of my post about "popularity votes". The current system tells us nothing about a script. I use Favorites to bookmark a script so that I remember it, it has nothing to do with how good it is - I may Favorite a bad one just to see if it ever gets fixed. Very old scripts will have many more downloads then brand new scripts, so again that value is meaningless.

@pandaking you can check that none of them have been removed from this site, and that the one you have is the same as the version on this site. Check the scripts comments as well.

Joel H Scriptwright

Pandaking, there are only two things that can guarantee a script is safe:
1. write it yourself
2. review every line yourself
Unfortunately, both of these require you to know javascript. Fortunately for you, all of the scripts you have are probably good. If you are worried, I encourage you to check any scripts you have downloaded since roughly the end of May (you can check this in windows by navigating to the script in your file system and checking its properties for the file creation date). For any suspect scripts, return to the script page and check for user posts about its security. Also, you can be slightly proactive and view the script's source; I realize it can be intimidating if you're new to javascirpt, but there are a few simple things that you can look for, such as eval(....) statements, calls to XMLHTTPRequest(...), and references to document.cookie. The hard part here is that all three of those do have valid uses in legitimate scripts. If you have a particularly useful script which you really want to use but don't trust the source code of, you can ask for an experienced user to verify the script.


Jonny Scriptwright

I think because of this greasemonkey should have a feature where potentially malicious code has to be put with a certain tag or else it won't work as a script and if it includes the tag, it mentions so at the top of a us.o script preview and reccomend checking comments for it and having a quick look at script source it'll help to make sure that the user checks at least the comments section if it is potentially malicious.

Miles Libbey Scriptwright

Javascript is extremely flexible and powerful. Even if Greasemonkey were to (somehow) only allow some subset of Javascript, it's virtually certain that a determined bad guy could use the remainder to do something bad. Most web companies try not to allow *any* javascript on their pages, yet, cross-site scripting holes are reported each week.

Joel -- don't forget about adding or changing img src attributes.


Naja Melan Scriptwright

dear miles,

that is why as i already said in my post above, someone has already done this work. Hence the possibility in firefox to safely run any javascript any website fires at us. Greasemonkey scripts should be treated as unprivileged code, unless they actually need those privileges, in witch case the user can be warned and check the code before granting. Since you can do 95% of the stuff you need in userscripts without special privileges, that reduces the scripts that need to be checked to about 5%, which could be again diminished by another 95% by improving the featureset of the XPCNativeWrapper Object, like support for frames to name just one thing...

With some integration with, some people could check these few scripts still not covered and give them a marker to approve them, which would lead to the needed and very wanted situation of allowing most users to just click install without any worries allmost all the time....


Frederik Van... Scriptwright

Naja Melan,

Unfortunately, this won't work. Even without special privileges, you can still do location.href = '' + document.cookie, and the cookie is stolen. Or you could use a hidden frame so the user doesn't notice.
The problem is websites can access their own information, so they also can access their own cookies. So a script running in the context of the website can also access this. And form information that you filled in, and more.
The moment you start limiting what a script can access on the website it runs on, a lot of scripts will require extended privileges, I would say at least 95%, depending on what information you limit access to.

Paul Irish Scriptwright

Can we remove that warning message now? It's making a lot of new users very wary about this entire site. While warning people is important, you don't want to be a homeland security color code kind of thing... :/

Descriptor Scriptwright

Nah, homeland security would search everyone who entered the site for fingernail clippers.

Naja Melan Scriptwright

fair play frederik... didn't think of that. i never used cookies from javascript. Sorry miles.
time to shut up now,,,greets

well no, wait, if that is the only security breach, then that would reduce hazardous scripts to scripts that run on sites where you login. since this is a limited list, that would seem like a starting point to look for solutions, not? maybe people could make a list of sites where they log in, or allow greasemonkey to autodetect that, and give them an extra warning if they install scripts that run in these sites?
Best solution seeming that the website verify the ip number as well as the session ID??? But that is not in our hands.


mark1809 User

Unfortunately before I got around to checking all my scripts, this moron had used my Google checkout cookie to buy a $2400 computer to be shipped to another state. I was able to stop the order or perhaps secret security rules in Google's checkout may prevented the order from completing anyway (changed email which checkout allows but not my regular email). How will this be prevented from occurring in the future or is this one of the chances you take when using a script? Most of the general population is not going to be able to always know when a script might be malicious and how to figure it out and should be forewarned before downloading.

verifex Scriptwright

Is it possible to at-least get some kind of "tag" system? I think it's a little crazy that we have so many duplicate scripts all over the site. If we at least had a way to mark scripts that are duplicates. I find it incredibly annoying when a particular script has many duplicates and only one of the 7 or 8 scripts actually works or is updated by the author regularly.

Descriptor Scriptwright

@mark1809 - you always need to be very careful whenever money or personal info is involved. A user script is a pretty clear risk, or should be noted as a clear risk and is in several places. There's no way anyone can forewarn you of every possible way you could be fooled. Take for example all the spam that fools people every day: if I don't know the person that sent it without any doubt, then it's junk that can't be trusted. Same with anything you download off the Internet.

Mike95060 User

Am I safer if I use scripts that have been posted for a few days, and if I update, when prompted, at the original userscripts site rather than respond "yes" to an update prompt? I have tried to read all this discussion, but I find this all confusing, esp. since I received about 6 update prompts this morning--some for scripts that indicate no recent updates.

Vasco Scriptwright

I think it is possible to implement a cookie protection inside Greasemonkey, what is the best place to request this feature?

Also I always thought it could be possible and was always concerned but I don't realy use much scripts made by the others mainly with complex code.

Joel H Scriptwright

Vasco, the place to make specific suggestions on changes to Greasemonkey is the Greasemonkey mailing list, which is found at:

While us.o isn't really about changing the extension per se, this is clearly an issue that concerns the community at large, especially those users who lack the skills to determine for themselves if a script is safe. As a result, you could probably get away with making suggestions here, too, though there is no guarantee that the GM developers will see it.


LouCypher Scriptwright

It has been discussed here

and here

NathanJ User

First of all, somebody is spamming Blogger/Blogspot blogs with the following Userscript.

It's been installed five times as of now, and I'd bet that it contains such code. Why else spam it? (Maybe it adds more ads?) I haven't installed it and don't plan on installing it.

Second of all, if your site's login system actually worked, people might comment more on scripts that have problems? Did you ever think of that? I registered so I could comment on those that worked or didn't work. I made a 25-digit password including symbols, letters, and numbers, and stored it in a password vault. I came back to find I'd been logged out, and the same exact (copied and pasted) password was rejected. So I figured y'all might be using an older login system, so I made a new one, just 8 digits, just uppercase and lowercase letters, and once I changed that it won't accept that either. So this is my, what, third password reset? Suffice it to say I won't be changing my password again, if I'm going to have to do it again. If you guys decide to fix the login system, drop me a line at [email protected] when I can create a working, stable account, and I'd be happy to go back to commenting on what works and doesn't. Until then, I got most of the scripts I need, and you don't have to login to get more. But your system as is discourages community feedback, and that is what you need to solve your problem.

Max (-El... Scriptwright

I just uploaded a script that will hopefully help protect people against most cookie-stealing userscripts. (And hopefully, other malicious scripts, in the future.)


war59312 User

Nice, thanks for the warning!

Naja Melan Scriptwright


isn't it time to change the read banner to some yellow banner saying something like: "please beware that userscripts can get access to the cookies of the sites they run at. Please check them before installing..."

cause i think the current banner scares most non savvy new users away before they find out what userscripts are good for....


Joel H Scriptwright

I agree with Naja. I havn't heard of any malicious scripts being uploaded in the past few weeks, so I think the initial scare is over.

Of course this should not be an excuse to slack on vigilance.


sizzlemctwizzle Scriptwright

yeah the first time I saw that banner it scared the crap out of me and I'm pretty familar with greasemonkey, what would a novice think? maybe never come back to userscripts.

xmidoz User

I am not installing any scripts until this issue is ressolved.

sizzlemctwizzle Scriptwright

Thats not necessary. There aren't any cookie stealing scripts on They've all been removed.