MattiasBuelens
commented
9 years ago Thanks for the heads-up! I've updated all links to point to the HTTPS version of the script.
Note that many users have downloaded a version of the script locally (as a Greasemonkey or Tampermonkey script). They should get a notification to update to version 3.3, which uses HTTPS for the download and update URLs. However, until they install the legitimate update, an attacker could still theoretically intercept and modify the automatic update over HTTP.
Also, users who have already registered the bookmarklet version cannot be automatically updated to a HTTPS version. Their bookmarklet will continue serving the HTTP version, unless they manually update to the new URL.
https://www.fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html
Anyone with access to one's network (open Wifi, ISP) when they try to load this script can change the HTTP Javascript to some other code. This is a security risk.