SECURITY: Man-in-the-Browser attacks

/mod hat off

FC already did - they gave tacit approval to Lonerifle's scripts (which involve pretty complex javascript injection into FC webpages). SS are certainly aware of the 0risk scripts, and have made no comment (or attempt to defeat them).

Personally I have no problem using Grease/Tamper monkey to automate boring things that the platform failed to do for me (obviously I'd prefer the platform to do it) AS LONG AS I can eyeball the script (or wrote it myself), keep it on my own PC (no remote access, and no 'auto update'), and accept that if it goes pear shaped it is my own fault. The web stopped being a safe/friendly place when JS escaped into the wild, but it's a bit late to re-bottle the genie now (he's too useful).

Yes, 'if you don't understand what you are doing, probably better to not do it', but you'll have a hard time selling that to the 98% of internet users who think it is done with magic. And if people are going to run the scripts (they are) I'd rather they were posted publicly for peer review than 'passed around in plain cover by email and PM'. I guess it should be made clear that the forum doesn't champion / warrant the scripts in any way, and that there are, for sure, risks in everything (even telling IE or Firefox it can remember your password for you).

p.s. that's in reply to the OP ..d_saver typed faster than me!

There is risk in everything we do. People investing in p2p especially better be aware of this. There is certainly risk in installing any third party software, visiting web sites, crossing the road, etc. I totally agree with you. If you do not understand the risks or cannot quantify them, stay away. It's a personal opinion, but I do not agree with the general philosophy of blocking something that might be dangerous for the protection of all, however uneducated they might be in the area concerned. I am sure 0risk stated the risks as unknown to cover himself of every eventuality, as pretty much any software license does if you read it.

There are some clever people here. If someone posts some source code openly and there are gaping security holes in it, I would be surprised if that wasn't discussed. Per the last post, if the source code is posted openly here and you see no negative comments after months of use, that's about as good and safe as you are going to get (IMO). Certainly, if it were closed source or a third party web site I was giving my credentials to, etc., no way I would likely touch it... Again, anyone not quite following along would best be advised to stay away.

In all my time with a ridiculous number of clients, I would say in excess of 90% of the security issues were a case of users doing something stupid. I agree that users should always proceed with a dose of caution, but I think a call for the ban of such scripts on the forum would not stop people using them and would do more harm, given they may become less visible and transparent and possibly less reviewed by people who might advise others of the risks you mention.

bump
savingstream
ablrate
MoneyThing
fundingsecure

/mod hat off

I don't think there is a crime of 'assisting in the breaking of T&Cs', which are between users and platforms. If a platform objects to the automation I am sure they will let us know about it (there are several sets of automation already running, to check things like SM availability).

In reply to registerme ..

How is the code maintained and updated?

 .. by the original author, or anyone who takes over (but only the original author can edit the 1st post in the thread which is where the 'official version' is supposed to abide.

What happens if the author goes awol?

 .. support stops, unless someone wants to take it over

Who supports users of the code?

.. the original author, or anyone who wants to offer (free) advice. No warranty was offered or implied. The SS script seems to be groupware .. several people have already chipped in free improvements.

What happens if usage results in a DDOS attack on a platform?

.. The platform pulls the plug on offending IP addresses (FC, SS and others have done this in the past in response to 'over frequent polling for changes').

What happens when a platform changes its site and breaks such code?
 
.. see 'how is code maintained'. There is a small, but non-zero, risk that the platform could make a change which had 'very bad result for script users' (especially anyone who went for full automation) .. e.g. if they change the place which tell the script 'You have £x of this loan', then an automated script could keep buying and buying and buying and never see it had got any. None of the public scripts have implemented 'auto buy', but some FC bots certainly do.

What happens if some takes the code and uses it on another platform / the tool's usage proliferates?

.. up to the platform(s) .. if they feel it is having negative impact they a) tell users, and if the user persists then b) pull the plug on the IP address(es), or adopt a defensive posture (like reCaptcha on SS, to as least hamstring a bit the SM bots).

Should auto-update be turned off by default? If it is, how are new releases of the code managed?

.. Definitely. I thought 'auto update off' is the Greasemonkey/Firefox default (?), Tampermonkey/Chrome appears to need reining in? New release should only be installed when the user says so .. anything else is very dangerous (despite what we are told by Java, Adobe, uSoft, Mozilla, etc etc?!)

What happens if there is a security breach?

.. Bad stuff, about the same as if a platform gets hacked, or the forum ads start serving malware again. Basically any time you "open up" a system to permit good stuff to happen, you enable a quantity of bad stuff to happen too (and you get an interesting debate about which bits are which!). Tamper/Grease monkey opens up the browser and gives a lot of control back to the users (instead of the web page authors). Scope for good/bad in equal measure.

(Mod hat off)

No-one is forcing anyone to install or use such a browser extension or script. Indeed, it looks like it would involve a fair bit of personal time / effort to do, so it's not something people are likely to do unintentionally.

Arguably this forum already "encourages" risk-taking amongst its members by openly discussing the potential profits to be made through P2P lending (especially at the riskier / unsecured end of the spectrum). Personally I have no problem with the way this particular script has been explained and shared for "informed personal use"

Bottom line is that if you don't understand what you're doing then don't do it.

My biggest risk in P2P as I see it is someone or thing getting into the platform or my account and taking my money. Therefore I diversify across loans AND platforms.

I do not understand script so therefore do not use it as well as the risks as above.

I just hope the platforms IT can cope with any risks attached to these scripts?