Quote from: Shroomeister on August 29, 2012, 12:59 amCode: [Select]function GM_XHR() {  this.type = null;  this.url = null;  this.async = null;  this.username = null;  this.password = null;  this.status = null;  this.headers = {};  this.readyState = null;    this.open = function(type, url, async, username, password) {    this.type = type ? type : null;    this.url = url ? url : null;    this.async = async ? async : null;    this.username = username ? username : null;    this.password = password ? password : null;    this.readyState = 1;  };You guys keep pointing to this block of code. Is it because you see the word "password" and "username"?I first and foremost am not a java guy, but I happen to know some other stuff that I would venture to say allows me to understand most of this code.With that said I have NOT looked all this code, I have NOT even downloaded this script. I am not validating the whole thing, just referring to this block above.Before I even searched anything I saw the function defines (don't know if that is what they are called in java)Where it says:Code: [Select]function GM_XHR() {  this.type = null;  this.url = null;  this.async = null;  this.username = null;  this.password = null;  this.status = null;  this.headers = {};  this.readyState = null; null = nothing = blank = 0.So in other words when the code flows...... and it gets to a point where it "thinks" it may need a password....the code checks the defines.....and the define is null....means no password.The OP used a library to make coding this easier. Almost all coders do. I never met a coder who doesnt. The reason is, why would you write EVERY SINGLE line of code from scratch, when you can "drop in and reference a library" and gain the functionality that you want.A quick google search for the function name "function GM_XHR()"Brought me to:http://wiki.greasespot.net/GM_xmlhttpRequestWhich then shows you that this function of the code is to "poll" Mt.Gox Live for data.....You do not need a password and user name in order to view Mt.Gox live (we all know that)Hence....the defines are null!~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~I hope you all now understand that this part of the code is totally safe and fine.I have not looked over the whole code because as I said - I am not a java guy...and if the op had malicious intent, he would be able to hide it in the code probably better then I could uncover it.However! This type of script does nothing more then query (ask) Mt.Gox live for the price, and then embed it into your local HTML. There isn't much of a place for the author to hide anything scary. Or I should say, the author would have to go to real extremes to get it in the code and undetected to the avg coders eyes.I know people are normally scared of things that they don't understand, but I must admit I am still a bit disappointed in ya'll cryin wolf with out a regarded expert weighing in on this first.I consider you all the internet elite to have made it here (SR), but I suppose with Tor browser bundle and every other aspect just a download and click away I may have been mistaken. :\I weighed in here only to encourage people to check the code before they implemented the script. With my complete lack of coding knowledge, I'm not going to be using it, regardless of whether others say it's safe or not. I'd rather know that I'm taking the necessary precautions to remain secure than implement things I don't fully understand.Having admitted that I have no coding knowledge, and essentially guessing here, would it not be possible for the author of this script to release an updated version of it at some stage in the future, having perhaps garnered the trust of the community, with the 'null' properties changed in order to facilitate a mass grab of Usernames and Passwords? I realise that people could go through the source and find these changes, but, as we can see here, a potentially large number of users may install and use it before they or anyone else combs through it looking for vulnerabilities.I simply see no reason to risk security for convenience when it's possible to divide the USD amount by the current local : USD currency conversion rate - a process which literally takes 2 seconds on a calculator. Sure, it'd be nice to see things listed in my local currency, but given the fact that I can purchase drugs and other items anonymously from the comfort of my own home, it's not something that I personally absolutely need to have.