Greasy Fork

Alexander M collects your information. His script steals your facebook and google account and he is selling that information to agarbot.ovh. Overall the script is not trustable and you should stay away

Alexander M collects your information. His script steals your facebook and google account and he is selling that information to agarbot.ovh. Overall the script is not trustable and you should stay away

This userscript does not have permissions to access your social networks, as indicated in the userscript metadata.

On the contrary, when you install the agarbot extension NOT FROM CHROME STORE, you allow access to all sites, including your social networks.

About @connect data
https://www.tampermonkey.net/documentation.php?locale=en#meta:connect

You are stealing the Facebook and Google account tokens (and every other cookie that is saved) of the people that log in and you sell these to agarbot.ovh. And with these tokens someone can do A LOT of things. They can even hack your accounts with these tokens. I have seen the code, there is no reason to lie about it. I suggest to everyone to stay away from this malicious extension

You are stealing the Facebook and Google account tokens (and every other cookie that is saved) of the people that log in and you sell these to agarbot.ovh. And with these tokens someone can do A LOT of things. They can even hack your accounts with these tokens. I have seen the code, there is no reason to lie about it. I suggest to everyone to stay away from this malicious extension

Your accusations are unfounded. The userscript is configured to run only on specific domains (agar.io, sigmally.com, and gota.io) and does not have permissions to access Facebook, Google, or any other social networks.

Allowed Domains:

delt.io
sentinelix-source-agarix.glitch.me
deltav4.gitlab.io
hslo.gitlab.io
These @connect directives restrict the script's network requests to trusted domains unrelated to Facebook or Google, ensuring no access to your accounts or personal information. Additionally, there is no code within the script that interacts with or steals data from social media services.

If you have specific concerns or evidence, please share them so they can be properly addressed.

You got caught red-handed and now you don't know what to do. Let's see how fast you gonna change the code and remove these parts. I have more screenshots that I'll share the next time you choose to lie so blatantly. For whoever can't read the code, he sends to his server your Google and Facebook token as I was claiming in the first place. At least we should be glad that he isn't sending server our emails,fullnames and photos to his own server (or maybe even servers!). Again people stay away from this awful 'extension'.

Edit: I added these screenshots in an IMGUR gallery for a better resolution (https://imgur.com/a/2JXOAao)

Your arguments have no weight. On the contrary, these arguments are an attempt to destroy the developer's reputation.
During the analysis, it was established that your screenshot has nothing to do with reality. The screenshot shows a modified delta code that was used for authorization in agar.io. The screenshot was made in Visual Studio Code, but not in chrome devtools. Next time, in order for your evidence to have weight, use https://archive.is to archive links to your evidence with an independent source. We will be glad to cooperate!

Of course, I used Visual Studio Code, as I had to manually deobfuscate certain parts of the code using the debugger in Dev Tools. People primarily obfuscate their code to prevent others from reading it, with a few exceptions. The code snippet I provided reflects what the code looked like nearly a month ago.

I must say, bravo! It's impressive how quickly you removed those parts. To be frank, I'm unsure whether you made those changes a week ago upon seeing my review or just recently, after recognizing the undeniable proof.

You mentioned that you can't connect to Google/Facebook domains, which I don’t believe I ever claimed. I stated that you were stealing their account tokens, and your response was a weak attempt at smokescreening me.

According to https://archive.is/, the first snapshot of your page was taken just hours after my previous comment. This strongly suggests that you altered the code and tried to save the snapshot. However, after reviewing various snapshots from https://web.archive.org/, I've concluded that the data you were effectively stealing was only from August 7th onward, and it appears you reverted the changes after noticing my review.

I don’t know you personally, and frankly, I have no interest in getting to know you after encountering your malicious code. So no, I'm not trying to ruin your reputation--you did that yourself!

Well, since you have no evidence, then no justification is needed from our side.

You're free to disregard the evidence, though it's both irresponsible and disturbing. My goal with this review was to warn others, and I believe I've accomplished that.

You have no evidence.
1. Your screenshot is fake and you can't prove otherwise.
2. You have not specified the server address where the data is transferred.
3. No one will believe you because you made a mistake when creating the fake
- the first code on the screenshot that you faked is responsible for logging out.In my screenshot I showed where the variable "xt" is used.
- The second code, in the screens hot that you faked,because you edited the generated typescript code. You added "this" and it was your mistake, because in the compiled code "this" was replaced by the variable "t"

Your mistake is that you edited the compiled code.

1. So, just to clarify, your screenshot is the gold standard, while mine is just an elaborate hoax. Got it!
2. It looks like your wss://chat.delt.io server was collecting that information. Unless there are other servers at play that I'm not aware of?
3. At this point, it seems you're making assertions without a clear grasp of the situation, hoping that some of your claims will resonate with others. I assure you, that's a dangerous move.

I’ll be reporting the script, and I might consider further actions against you. Time will tell.

There is always only one way to make this right and it's always the same: share the source code on github, make it open source and let other developper judge if that is trustable or not.