Public service announcement: You should never install a userscript from someone you don't trust.

Userscripts, like any browser plugin, get full access to your browser. That means they can do malicious things, like watch you type in your password (which then means the author of the userscript can see your password).

Similarly, you should never go to your browser's dev console and paste code from someone you don't trust.

As of the time of this writing, I've never seen or heard of a malicious userscript on Warzone/WarLight. I'm writing this just so we all stay vigilant against any future attacks that may come up.

This is an extremely important statement by Fizzer because I used to play Runescape but they did not care and my computer got so many malware

Userscripts, like any browser plugin, get full access to your browser. That means they can do malicious things, like watch you type in your password (which then means the author of the userscript can see your password).

I believe what you mean is that they theoretically could include in their script malicious code which gave them that ability -- not that any script gives anyone that ability by default.

I always review the code of scripts before I add them and if I don't see anything weird + I trust them, I go for it. But I don't believe they have full access to my browser automatically no matter what their script does. I certainly hope that isn't the case.

Edit: 'they' here meaning the author of the script. If their script technically has access to my browser, but their script doesn't actually do anything with that access, that would seem secure.

Edited 4/21/2018 05:09:55

^ they have access to the current window and windows the script opens. In browsers where the content-secure policy is implemented (e.g. FF Quatium), scripts can only read and modify the content of the window's domain.

I believe you are using a different definition of 'they' than I am. You mean the script, I mean the author of the script.

While technically those could be the same thing -- in practice they are not the same thing. The script can only do what it has been written to do. A script written to blank the page and replace it with a smiley face can only do that. The author could not see what was on that page or your passwords or do anything else, unless the script had been written in advance to do that. Which you could see by reviewing the code before you installed it.

At least that is what I've always assumed when running scripts. If that's not how it works, I'd love to know that.

From what I know, you're generally right that userscripts are limited by their own code. However, that comes with two caveats (not JavaScript/userscript-specific):

1. Malicious code isn't always obvious, even to an extremely trained user. (E.g., https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf).

2. Other code (e.g., your browser) can have vulnerabilities that the client can exploit. This could happen in such a way that the target code doesn't actually execute something that's visible in its source (like with return-oriented programming for buffer-overflow attacks) and the attack itself doesn't even look like code- like a string token input or something that doesn't fully show up in the source.

So Fizzer's phrasing makes sense 'cause the eye test doesn't give you any guarantees. Every time you install an innocuous-looking piece of software, you should also be aware of what it can do if it turns out to be malicious. Can't speak for userscripts specifically, but there's ways to sneak malicious code past reviews especially if those reviews are coming from end-users. The point is that, with all the permissions userscripts get, it's probably not that hard for an experienced/motivated attacker to write something that convincingly looks like it's a smiley-face script but actually hacks your account and makes you constantly post threads about Donald Trump on the Off-topic Forum.

Err on the side of paranoia.

Edited 4/22/2018 03:26:35