Greasemonkey scripts, and the de facto repository userscripts.org, are the anarchist’s answer to Firefox plugins and Chrome extensions. They offer oftentimes very helpful tools and tricks, little Javascript/DOM trinkets, some rather sophisticated, some not, things that for one reason or another don’t make it onto the vetted Chrome Web Store and Firefox’s plugin site.

For example, I just went on userscripts.org to grab an extension that would, on Google search returns, display the old Cached link button so that I can pull up archives if the site is down or it was changed. I checked the reviews, seemed legit, eyeballed the code and grabbed it from userscripts, dropped it into Chrome, works great, apparently.

But I got greedy and kept clicking around until I came across a script called Add Youtube to Google Search Bar. Before installing, I checked the Reviews section of the script first in which someone penned “WARNING! Malicious Script! Uses your Facebook account to subscribe to various sites. Use this scam-checker to blacklist scam scripts: Userscripts.org Scam Filter.” Woah. As there were two other reviews of five stars and superlatives, I pulled up the source of the script and sure enough it was loaded with facebook.com interactions, like this, which, I don’t know, looks shady to lead with in a Google/Youtube script (just a screenshot of the top, I’m not posting any of the actual code):

The author of this has 220 scripts with a total of 550 reviews, some are obvious spam reviews praising the scripts, the rest warning people that they’re scams. This Facebook thing, while obviously highly undesirable, is relatively harmless compared to what this coder could have done were he inclined, thanks to Userscripts.org.

I pulled up three more, each of which had a few positive reviews including jQuery v1.7.1 stable v9.2, Ultoo Turbo Fast in 2G & 3G and Userscripts.org Scam Filter. All had obvious malicious code. Presumably all of them are. There’s actually a legitimate Userscripts.org Scam Filter script warns of thousands of scripts that don’t behave as advertised, with guys like this creating the need for protection, yet taking advantage of people looking for that protection by making a script with a duplicate name and gets away with it.

Userscripts.org may have good stuff, but in one visit I came across a user with hundreds of scripts and spam accounts to give the malicious scripts favorable reviews and his account is intact. I don’t think it would take me all day to stumble upon another guy like that, given this:

The moral of the story obviously is, just as I warned you about Tor, do not use Greasemonkey scripts, at least not unless you read and fully comprehend every line of the code within whatever script you’re installing. Even then it’s probably not a good idea.

Doug Simmons

2 COMMENTS

  1. I stay away from 3rd party scripts, and I don’t recommend in my architecture. Yes, you think it is open source simple scripts, but how many times you would look into the code.

  2. In the early 80s I started learning Basic, I did well with it, but I wasn’t really pushed or given an opportunity to continue.
    And I realize now I probably had ADD, still do. So I didn’t do well with school. Today I probably have 20 projects in some state of incomplete. I just keep starting new ones.
    I wish I had stayed with “Programming ” as it seems it would be easier to create your own stuff vs. trusting something somebody else wrote.
    On pretty much all levels.

Comments are closed.