Arsenicus
commented
1 year ago It's not heavily obfuscated. It does ping the void server and might grab your ip, but nothing more.
Open prozacgod opened 1 year ago
Arsenicus
commented
1 year ago It's not heavily obfuscated. It does ping the void server and might grab your ip, but nothing more.
prozacgod
commented
1 year ago As far as I can see the code is entirely encoded base64 blobs of heavily obfuscated javascript code.
Is there a branch where there isn't obfuscated code? Is there some other repo?
This commit log here LITERALLY says "reobfuscate"
https://github.com/TouchedByDarkness/PixelPlanet-Bot/commit/6a4b6ef3c84b9e44b9e5b9fc23cc524fab3dfa09
The repo also has a remote code loading scheme. This has a security implications. The author can easily change the code in the repository when they feel like it and the users will get a new base64 blob of obfuscated javascript.
The only mitigation from harm in this scenario is the current user.js file is restricted to the domain names for pixel planet editor sites. I suppose on a whim the author could turn all users into bots painting their pixels into these shared art spaces. That's not to say things like zero days where a js exploit could be let loose to users of this extension.
Don't install this software, it's so heavily obfuscated it's probably a virus or back door.