Này người xa lạ!

Còn chờ gì nữa mà không mau đăng nhập hoặc đăng ký để cùng tham gia thảo luận với cộng đồng!

WARNING! Script is actively uploading users' personal Google data to AUTHOR'S PRIVATE Github!

About: Google Search Extra Buttons

Since this author is refusing to even way disclose to prospective and existing users what he is now admitted multiple times without any decent explanation I am reporting this.

Per this Github issue I opened:

https://github.com/spmbt/googleSearchExtraButtons/issues/15

and this discussion here where he only briefly provides a very cagey explanation of:

In short words: Google cleans own localStorage in his domain google.com or national (google.de etc.), so we have to save settings of user in some another domain. For example, github.io

https://greasyfork.org/ru/forum/discussion/11352/quick-question

If you search the code (which he also will not explain why he has clearly taken steps to obsfucate) for this string:
"spmbt.github.io/googleSearchExtraButtons/saveYourLocalStorage.html"

However, his explanation nicely omits the fact that the Github.io he chose is the AUTHOR'S personal, PRIVATE Github storage to which you have no READ access and herein lies the issue:

So now he has now at least twice confirmed that If you are running this script - YOU ARE ACTIVELY AT EVERY VISIT TO GOOGLE.COM, UPLOADING YOUR ENTIRE GOOGLE LOCALSTORAGE DATA TO HIS PRIVATE, LOCKED GITHUB STORAGE. He now updated the script desciption to very inaccurately mention a badly abbrevated "save of each select in ext. localStorage" that fails to mention how much data and that it is to HIS private storage on the Internet.
You cannot view the data you are uploading (because it is a POST action). You also cannot, however, even confirm what exactly he is doing above and beyond this because he has taken steps to obfuscate the script code and as of today has still not posted a full, unobsfucated version, nor provided me access to my data he has stored on his personal Github storage.

If this is so harmless and such unidentifiable information, I would expect a public repo with EVERYONE'S "harmless" data - but as a DEV myself I ask why the script simply does not use the very same localstorage methods already being used in this very script to instead simply write the Google data needed to a new local variable that Google is not (supposedly) "erasing" on the local browser storage (the reason he is stating he is taking the data to begin with). This is ludicrous I myself can write out localstorage to ANY local variable I want in a script, either per session or to survive multiple sessions (that's what it's there for!) - without EVER needing to UPLOAD it - ANYWHERE.

Obfuscated, quietly uploading everyone's Google data to a secret, locked location without spelling out this very questionable supposed functionality requirement in any of the script's documentation or even code comments - This script needs to be removed or require he immediately disclose very clearly of this activity on the script's description!

Bình luận

  • Since the topicstarter want not talk with me...
    OK, we will wait answers from society of users of this script.

    I not see any problem to explain use of second site for "external localStorage" in the description of script, but, I think, this info may exist as article everywhere on the site for developers. For example, here: https://greasyfork.org/ru/forum/discussion/11352/quick-question

    This is ludicrous I myself can write out localstorage to ANY local variable I want in a script, either per session or to survive multiple sessions (that's what it's there for!) - without EVER needing to UPLOAD it - ANYWHERE.

    ----This suggests that Collin (DEV!) did not try to work with localStorage on Google's website. And I tried). Google clean's this data each session.

  • Is there not a method you can use for storage, for example https://wiki.greasespot.net/GM.setValue ?

  • Jason: is it crossbrowser method? There are around 11 browsers or environments where runs userscripts, but part of browsers (Chrome) not support GM_-functions. Around 3 years ago I stop using any GM_* by this reason.

    If it really crossbrowser, this will good desision. Thanks, some time later I will write test for this method in this script. It will good solve of problem with access to github for part of China.

  • I don't believe this script is uploading user data, so closing report.

Bài viết đã bị khóa.