How safe are userscripts?

Hi, I recently have decided to try to install some user scripts. I’ve still been very worried about any compromised ones. I’ve heard that sometimes, even if you restrict the script to one website, there are some workarounds. Of course, I wouldn’t really care too much if my WaniKani account got compromised. I do know some coding, so I might be able to look through them, but there are just so many! The app Tsurukame has most of the basic scripts already, but I’m looking for a few more. Has anyone had any experience with dangerous scripts? Sorry if this has been asked before, I couldn’t find a thread.

If you install one of the popular community scripts you probably don’t have anything to worry about. Most of them should be limited to just WaniKani anyway, in which case the question becomes: do you trust Tampermonkey or whatever script manager you’re using? If you don’t want to trust the extension that much, you can limit its access to specific websites (at least on Chrome). Even though Tampermonkey is set to run by default on every website you use (so that it can run the scripts you have enabled on their specified pages), you can choose to only enable the extension on WaniKani and whatever other websites of your choice.

Ok, one question though, is there ANY possible chance taper monkey, or the user script could get access to some other websites I use? Also, would you mind linking or attaching a photo of those options? Thanks for the response

Most of the popular scripts mentioned on the forum are written/used by active members of this forum. And the code is public, meaning that if there was anything sneaky going on, the people who can read the code would see it. As some people have said, most of these scripts will explicitly say at the top the “computer code” version of “Only use this script on a website that begins with wanikani.com/something”. It doesn’t hurt to be cautious with something you’ve never heard of before, but many of these scripts are created and maintained in the public eye here on the forum, so those I would worry less about.

The answer is yes.

Can being on the internet provide ANY possible chance for someone to hack into your computer?

The answer is also yes.

Tampermonky has a pretty large install base and the dev team takes security seriously. But there is no way to ever be 100% guaranteed of anything.

True, but I feel like I’m actively putting myself at a vulnerability

You are. But like I said, the risk is pretty low and that’s the trade off for the ability to customize websites on the fly.

You don’t have to install it if you don’t think the trade off is worth it.

To minimize the risk you coul use it in a separate browser where you don’t do sensitive stuff like banking.

Here are screenshots of my settings for Tampermonkey so that it only runs on certain sites:

Screenshot Microsoft Edge (Chromium)

image629×978 45.5 KB

Right click on Tampermonkey icon => “Manage Extensions” => set “Site access” to “On specific sites”

Screenshot Google Chrome

image693×976 41.7 KB

Right click on Tampermonkey icon => “Manage Extensions” => set “Site access” to “On specific sites”

Most of the permitted sites in the screenshot are for installing and updating userscripts. Sometimes Tampermonkey might ask for access to additional sites:

In these cases, you have the choice to either allow or deny the additional access rights.

I haven’t seen similar options in Firefox yet.

All of these scripts work based on letting Javascript work in your browser. That is something that you should be in control of already. If you aren’t, there are already many many organizations that have access to your browsing.
You can find websites that will identify what your browser is revealing to whom. I moved over to using a script blocker as soon as I used one of these tools, many years ago.
Then when you use userscripts, you can be selective about what is running. But as people have noted above, the userscripts are pretty limited, and I can’t think of an occasion when someone found something malicious hidden in one. Some of them connect to other commercial scripts, which is where there might be privacy loss if yo are concerned about that. But with a script manager, you can see it all.

Would you recommend one? I’m probably being a bit paranoid, but still…

Since these userscripts are writen in javascript, you can see the full source code when installing a userscript. So you could check line by line what the script is doing. While this doesn’t prevent it entirely, I would requie malicious code to be obfuscated in some way and still look like a trustworthy script in order to fool people. The scripts here are used by a lot of people and I have yet to find one instance of anyone mentioning an evil userscript.

Also, scripts are restricted to run according to their meta information: All scripts begin with a little of this:


These @include and @match tags tell tampermonkey where the script is allowed to run.
There really is someone here named match… sorry for tagging you @match)

• Can a userscript get access to a website it didn’t ask permission for? Only if there is a bug in Tampermonkey or your browser.
• If you only allow Tampermonkey to run on specific websites, can it still get access to other websites you use? Only if there is a bug in your browser.

If you’re worried about the possibility of bugs in your browser’s extension framework, you probably shouldn’t use any extensions, which also means not using any userscripts. Otherwise, I’d just limit access as I mentioned (someone else provided screenshots) and not worry about it too much.

Golden rule; if you are not sure, leave it alone.

The risk for the extension is minimal, the risk for scripts can be higher, but overall I think having a scripting extension on my machine at all is not a good idea overall. Personally, I do not use them.

In theory anything connected to the internet can be hacked, there’s no absolute guarantees in cybersecurity.

However, userscripts operate under strict supervision from your browser. They generally run with the same permissions that any other script runs in your browser, so if you’re already using the internet, you’re not increasing the risk by that much.

The source code to all userscripts is also available. If someone in the community were to write a malicious userscript, we’d all notice and flag the post for promoting something malicious. All userscripts I’ve seen have been completely safe, there is very little to worry about.

Finally, userscripts are restricted to the sites they declare themselves to run on, which is always one of the first lines in the script. If you want to make sure they’re only running on wanikani, just check the top of the script to see if the pattern matches something.

All in all, the only absolute certain way to not get hacked is to not use a computer at all. But userscripts are relatively safe if you stick to the ones available on this forum. I’ve yet to hear of any examples where someone used them for any malicious purpose on here.

I respectfully disagree. With that kind of reasoning you can justify refusing doing anything. Alone opening a browser and opening a website is a huge can of worms when it comes to security. But countless people are working hard on making browers and script hosts as safe as possible. Good browers, good script hosts and the scripts themselves are all open sources, and security researchers are constantly looking for vulnerabilities. Additionally, they are many measures you can take yourself to improve security.

So while of course, it does pose a risk, so does going outside but you don’t see me playing runescape.

I don’t disagree with what you are saying, but I don’t really use any browser extensions purely just to minimise the risk as much as possible. Even browser password managers have been compromised in the past, it’s not like all of these risks are the same, they can be very different in nature.

I’m not a security officer or even claim to have extensive knowledge in this field, so I appreciate a lot of the comments in this thread tbh. But what I do know is that I definitely do not need scripts on the browser so even if the risk is the tiniest of all the percentages, it’s still a risk I don’t need to take.

haha

ps. there is a paper here that looks like it could be an interesting read, although you need to create an account to read the full report: Web Browser Extension User-Script XSS Vulnerabilities | IEEE Conference Publication | IEEE Xplore

I use NoScript on Firefox.
Other people here have suggested more sophisticated blockers, but I found them too hard to learn.

I found this:

to tell you what is being transmitted by your browser.

You are completly right and your view is just as valid and the more sensible one for sure!

Cheers for the link

Start with a Brave browser and limit Tapermonkey access to specific sites only, as specified above. You’ll be 99% safe;)