For example, I just went on userscripts.org to grab an extension that would, on Google search returns, display the old Cached link button so that I can pull up archives if the site is down or it was changed. I checked the reviews, seemed legit, eyeballed the code and grabbed it from userscripts, dropped it into Chrome, works great, apparently.
But I got greedy and kept clicking around until I came across a script called Add Youtube to Google Search Bar. Before installing, I checked the Reviews section of the script first in which someone penned “WARNING! Malicious Script! Uses your Facebook account to subscribe to various sites. Use this scam-checker to blacklist scam scripts: Userscripts.org Scam Filter.” Woah. As there were two other reviews of five stars and superlatives, I pulled up the source of the script and sure enough it was loaded with facebook.com interactions, like this, which, I don’t know, looks shady to lead with in a Google/Youtube script (just a screenshot of the top, I’m not posting any of the actual code):
The author of this has 220 scripts with a total of 550 reviews, some are obvious spam reviews praising the scripts, the rest warning people that they’re scams. This Facebook thing, while obviously highly undesirable, is relatively harmless compared to what this coder could have done were he inclined, thanks to Userscripts.org.
I pulled up three more, each of which had a few positive reviews including jQuery v1.7.1 stable v9.2, Ultoo Turbo Fast in 2G & 3G and Userscripts.org Scam Filter. All had obvious malicious code. Presumably all of them are. There’s actually a legitimate Userscripts.org Scam Filter script warns of thousands of scripts that don’t behave as advertised, with guys like this creating the need for protection, yet taking advantage of people looking for that protection by making a script with a duplicate name and gets away with it.
Userscripts.org may have good stuff, but in one visit I came across a user with hundreds of scripts and spam accounts to give the malicious scripts favorable reviews and his account is intact. I don’t think it would take me all day to stumble upon another guy like that, given this:
The moral of the story obviously is, just as I warned you about Tor, do not use Greasemonkey scripts, at least not unless you read and fully comprehend every line of the code within whatever script you’re installing. Even then it’s probably not a good idea.