It's been more than 6 months since my last public giveaway, so it's time to stop making you suffer through puzzles and just give you the damn games. But... I'm not that nice, so it's level 5.
It doesn't show it but Infectonator Survivors has been on steam for more than two years or so in early access, you would know if you were into flash games as its early build is free on armorgames.
Well if an user has no public giveaways in sight, you would have to go through their pages until you find a public giveaway you can check, so it might not be much useful, but it's something. I'm trying to work around it at the moment and hope I'll be able to do it as well. :)
aaah, and got notification from tampermonkey:
Tampermonkey detected inconsistencies that indicate that your browser wiped the extension database!
something here?
My name is Joe. I'm a security professional. I saw your scripting work here and am impressed with the effort you have invested.
I noticed your user name is subject to a homoglyph attack on GitHub they refuse to address (sigh). Basically, someone could attempt to piggyback off your name/reputation by creating the user name reviIheart (that is: reviiheart). That may seem like a minor issue, but it can become a major one when paired with the auto-update capabilities of TamperMonkey/GreaseMonkey. Someone can mirror your scripts changing only the update url. They can post links that appear to go to your repository: https://raw.githubusercontent.com/reviIheart/ESGST/master/ESGST.user.js but instead go to the malicious one. After a sufficient amount of time has passed, they can start introducing malicious code through the update url (while still maintaining your functionality). Because TamperMonkey/GreaseMonkey scripts are injected into the page, they are capable of some reasonably powerful exploits.
I have gone ahead and grabbed the GitHub username so it can't maliciously be used by someone. I have also created the user's repository based on yours to see if you received notification of the action (Ideally GitHub will detect and warn you of this). If you could let me know if you received any notification, I would appreciate it. I also wanted to make you aware of the issue in case you have any other user names that might be vulnerable to this attack.
Hi, thanks a lot for letting me know, I wasn't aware of that. And no, I didn't get any notifications on GitHub. Thanks for grabbing the username though, and if you don't want to be associated with it, you can delete the account and I can grab it. Are only usernames with "i" and "l" affected by this?
Thanks for letting me know you didn't get any GitHub notification (sigh). This is something GitHub could easily mitigate by banning usernames that match existing usernames except for homoglyph(s). But they don't despite being made aware of the risks.
Per your request, I deleted the account. You should be able to grab it now.
O and 0 will get some people. rn instead of m will get some people. But upper-case i and lower-case L are the only two I know of that are rendered identically in many common fonts. My now broken link is completely indistinguishable in my browser from your legitimate link. Someone could at least catch an O/0, rn/m by paying attention.
Thanks again for making your code available to the community. Make sure you are extra careful about protecting that repository just because of the potential dangers of hacked TamperMonkey/GreaseMonkey scripts.
GitHub considers it lower priority. But I think they are not properly taking into account auto-update capabilities that can be exploited with those homoglyph attacks. But yeah, you should be in the clear now for those types of attacks.
Just make sure you are using a password that isn't shared with another site (especially sites that have been hacked in the past).
Good choice. Just make sure your password for LastPass is a sufficiently long password (ideally a passphrase). But it sounds like you are in good shape.
Like I said, there is no green star to hide giveaways. There is a green star for encrypted giveaways, which only appears in the header at the page that the giveaway is.
yeah that was i mean,my english is very bad ,sorry.but i didnot remember how to open the green star,its miss.could u help me which opition is green star
Ah okay, thanks. Google translate said it meant "Indians", which is used improperly when referring to Native Americans. Obviously, Indians are from India. LOL.
Well, yeah, we also refer to indigenous people as "Indian" here in Brazil, although in Portuguese, "Indian" to refer to indigenous people is "índio" and "Indian" to refer to people from India is "indiano". Small differences, but it can be confusing. xD
Native Americans dislike being called "Indian", due to the distinction. It's a term explorers mistakenly coined, believing they'd reached the Far East. I found it odd that Marco was ragging on you for lumping people together, and he's kinda doing the same thing ...
big Thanks :)
Comment has been collapsed.
Thanks !
Comment has been collapsed.
Thank you!
Comment has been collapsed.
You're welcome!
Comment has been collapsed.
Hey revilheart I added you on steam want to talk about some kind of script
Comment has been collapsed.
It doesn't show it but Infectonator Survivors has been on steam for more than two years or so in early access, you would know if you were into flash games as its early build is free on armorgames.
Comment has been collapsed.
I considered the release date for all games.
Comment has been collapsed.
I see. Well that's too bad because it's the truth but whatever.
Comment has been collapsed.
Hi revil!
Just in case you missed this..
blue heart
Comment has been collapsed.
Hi! I'm not interested, but thanks! :)
Comment has been collapsed.
Sorry that it doesn't suit your taste.. :3
Comment has been collapsed.
This comment was deleted 7 years ago.
Comment has been collapsed.
I turned it off for lists because it was stressing the server. It currently only works on profile pages.
Comment has been collapsed.
This comment was deleted 7 years ago.
Comment has been collapsed.
Well if an user has no public giveaways in sight, you would have to go through their pages until you find a public giveaway you can check, so it might not be much useful, but it's something. I'm trying to work around it at the moment and hope I'll be able to do it as well. :)
Comment has been collapsed.
Thanks for ur work anyway, got some bad people on the hook, better than nothing :3
Comment has been collapsed.
/uKIRh/
Comment has been collapsed.
This comment was deleted 6 years ago.
Comment has been collapsed.
Oh thanks, I wasn't really interested in the giveaway, but might as well enter now. :)
Comment has been collapsed.
should it be thubms up?
Comment has been collapsed.
Only if you added an exception for multiple wins in the settings menu.
Comment has been collapsed.
I think it is default, but thanks! (◕‿-)✌
Comment has been collapsed.
ERROR: Execution of script 'ESGST' failed! JSON.parse: expected property name or '}' at line 3 column 33 of the JSON data messages%20line%203%20%3E%20Function:4:343
loadEsgst@https://www.steamgifts.com/messages line 3 > Function:989:39
tms_614be77f_9d83_41da_8106_6010aff96544/<@https://www.steamgifts.com/messages line 3 > Function:411:5
tms_614be77f_9d83_41da_8106_6010aff96544@https://www.steamgifts.com/messages line 3 > Function:408:2
g</<@https://www.steamgifts.com/messages:2:385
anonymous/<@https://www.steamgifts.com/messages line 3 > Function:4:1
anonymous/<@https://www.steamgifts.com/messages line 3 > Function:3:55
anonymous@https://www.steamgifts.com/messages line 3 > Function:3:2
g</<@https://www.steamgifts.com/messages:2:385
E_c@https://www.steamgifts.com/messages:3:209
da@https://www.steamgifts.com/messages line 1 > Function:60:417
create@https://www.steamgifts.com/messages line 1 > Function:69:26
f@https://www.steamgifts.com/messages line 1 > Function:16:235
messages%20line%203%
not sure if this regarding to: https://www.steamgifts.com/go/comment/mIGbxTH
Comment has been collapsed.
I meant for you to add
console.log(GM_getValue("games"));at the beginning of the script. It should output a long string in the console.Comment has been collapsed.
the code now is
// @noframes
// ==/UserScript==
console.log(GM_getValue("games"));
(function () {
...
and console outputs:
Comment has been collapsed.
aaah, and got notification from tampermonkey:
Tampermonkey detected inconsistencies that indicate that your browser wiped the extension database!
something here?
Comment has been collapsed.
Your data is corrupted, you can fix it like this: https://www.steamgifts.com/go/comment/OdYl72t
Comment has been collapsed.
thanks! redone all setting as well but works! thanks for awesome work and support!
Comment has been collapsed.
Hello,
My name is Joe. I'm a security professional. I saw your scripting work here and am impressed with the effort you have invested.
I noticed your user name is subject to a homoglyph attack on GitHub they refuse to address (sigh). Basically, someone could attempt to piggyback off your name/reputation by creating the user name reviIheart (that is: reviiheart). That may seem like a minor issue, but it can become a major one when paired with the auto-update capabilities of TamperMonkey/GreaseMonkey. Someone can mirror your scripts changing only the update url. They can post links that appear to go to your repository: https://raw.githubusercontent.com/reviIheart/ESGST/master/ESGST.user.js but instead go to the malicious one. After a sufficient amount of time has passed, they can start introducing malicious code through the update url (while still maintaining your functionality). Because TamperMonkey/GreaseMonkey scripts are injected into the page, they are capable of some reasonably powerful exploits.
I have gone ahead and grabbed the GitHub username so it can't maliciously be used by someone. I have also created the user's repository based on yours to see if you received notification of the action (Ideally GitHub will detect and warn you of this). If you could let me know if you received any notification, I would appreciate it. I also wanted to make you aware of the issue in case you have any other user names that might be vulnerable to this attack.
Thanks for your contribution here,
Joe
Comment has been collapsed.
Hi, thanks a lot for letting me know, I wasn't aware of that. And no, I didn't get any notifications on GitHub. Thanks for grabbing the username though, and if you don't want to be associated with it, you can delete the account and I can grab it. Are only usernames with "i" and "l" affected by this?
Comment has been collapsed.
No worries. Glad to help.
Thanks for letting me know you didn't get any GitHub notification (sigh). This is something GitHub could easily mitigate by banning usernames that match existing usernames except for homoglyph(s). But they don't despite being made aware of the risks.
Per your request, I deleted the account. You should be able to grab it now.
O and 0 will get some people. rn instead of m will get some people. But upper-case i and lower-case L are the only two I know of that are rendered identically in many common fonts. My now broken link is completely indistinguishable in my browser from your legitimate link. Someone could at least catch an O/0, rn/m by paying attention.
Thanks again for making your code available to the community. Make sure you are extra careful about protecting that repository just because of the potential dangers of hacked TamperMonkey/GreaseMonkey scripts.
Comment has been collapsed.
Seems so simple, I wonder why GitHub doesn't do it...
Thanks, grabbed it.
And noted, thanks again for the warning. Should be ok now that I grabbed that username.
Comment has been collapsed.
GitHub considers it lower priority. But I think they are not properly taking into account auto-update capabilities that can be exploited with those homoglyph attacks. But yeah, you should be in the clear now for those types of attacks.
Just make sure you are using a password that isn't shared with another site (especially sites that have been hacked in the past).
Comment has been collapsed.
Yeah, that's a very serious exploit that should be high priority in their list.
I use LastPass. And I also have two-factor authentication enabled. So I don't think it should be a problem. :)
Comment has been collapsed.
Good choice. Just make sure your password for LastPass is a sufficiently long password (ideally a passphrase). But it sounds like you are in good shape.
Comment has been collapsed.
hi,rafaelgs18,could you tell me where is ESGST hide giveaways function?when I update,the green star for hide giveaways was disappear。can u help me
Comment has been collapsed.
There is no green star for hiding giveaways, you will find an eye icon next to giveaways that allows you to hide them.
Comment has been collapsed.
i mean have a green star show hide giveaways,maybe my memofy wrong i mix some script.thank you for your patience,have a good weekend
Comment has been collapsed.
Like I said, there is no green star to hide giveaways. There is a green star for encrypted giveaways, which only appears in the header at the page that the giveaway is.
Comment has been collapsed.
yeah that was i mean,my english is very bad ,sorry.but i didnot remember how to open the green star,its miss.could u help me which opition is green star
Comment has been collapsed.
Yo, what does this word mean? Google translate is being ambiguous, depending on context.
Comment has been collapsed.
Indigenous people. The people that were first in Brazil before it was colonized. Like the Native Americans, but for Brazil.
Comment has been collapsed.
Ah okay, thanks. Google translate said it meant "Indians", which is used improperly when referring to Native Americans. Obviously, Indians are from India. LOL.
Comment has been collapsed.
Well, yeah, we also refer to indigenous people as "Indian" here in Brazil, although in Portuguese, "Indian" to refer to indigenous people is "índio" and "Indian" to refer to people from India is "indiano". Small differences, but it can be confusing. xD
Comment has been collapsed.
Native Americans dislike being called "Indian", due to the distinction. It's a term explorers mistakenly coined, believing they'd reached the Far East. I found it odd that Marco was ragging on you for lumping people together, and he's kinda doing the same thing ...
... as clearly I'm not Indian.
Comment has been collapsed.