I was wondering if it is possible to share a TamperMonkey script with only certain people and use their fingerprints so they can't share the script with anyone else. Is it possible?
Asked
Active
Viewed 187 times
3 Answers
1
No approach is foolproof. Someone who's interested and skilled enough will be able to find a way past whatever protection measures you put in place. Userscripts run on the client's machine; the client machine must possess the code in order to run it, and the client has full control of their own machine, so someone who knows a bit of how browsers and userscripts work will probably be able to figure out a workaround regardless.
But you can make it harder for a script to be shared. One possibility would be for the userscript proper (with the metadata block and such) to not contain the actual interesting code, but to instead only contain code that remotely fetches text from a server you control. Your server then responds with the actual code if the user is permitted to run the script, and if so, the userscript on the user's machine runs the script response (for example, with an appended <script> tag, or something like that).
To identify whether a particular client should be given the script, you could set up a login system. Require the user to send their credentials when initially requesting the script. Then validate those credentials not only in the database on your server, but also against a browser fingerprint, and also against the known IP address(es) of the user. Only send the code if all three match. (When signing up a user for the first time, you'll need to get their IP address somehow, such as by sending them a personalized link to your site.)
That makes it harder for your script to be shared because if the user simply shares the original script with someone, it won't work. If the user shares the original script and their network connection, it won't work unless the browsers have identical fingerprints. But someone intelligent enough will know they can open their browser's devtools and gain access to the meat of the code, and share that.
There are other approaches, but that's still a lot of work for you, the script-writer to implement, and fundamentally, this is not a solvable problem. IMO, don't bother; embrace open source.
Michael M.
- 10,486
- 9
- 18
- 34
CertainPerformance
- 356,069
- 52
- 309
- 320
0
The whole point of a script is that it's some text that has meaning to a computer. There's nothing you can do to stop someone from simply copying and pasting, and thus nothing stopping them from sharing it. However, while you can't really stop anyone from sharing the script, there are some things you can do to get in their way.
Using real biometric fingerprints would be really hard, considering most computers do not have a fingerprint sensor and from a permissions standpoint. It'd be best to only allow some browser fingerprints instead. Using some advanced techniques, some smart people found out that you can run some JS code and get a number that is unique to the running browser each time. Consider looking into a package like get-browser-fingerprint to get browser fingerprints and simply quitting the script if the fingerprint doesn't match one of the presets.
However, anyone can still just change the code to remove this protection, so you'll want to obfuscate the whole script. This means running it through a program that makes it really ugly and really confusing, but still runnable. Obfuscation is reversible, but it takes quite a bit of work. Here's an example from this online JS obfuscator:
console.log('hi');
becomes
var _0x2be90f=_0x337b;function _0x5af6(){var _0x1cec7f=['17774990EijQlt','7657191Hbnsrq','10meabHV','328mRoSjv','3366273JDQtfM','1855566rgrUtg','960084UnADqG','1NcwfoY','135282VOtoAu','log','2552244wDCqcA'];_0x5af6=function(){return _0x1cec7f;};return _0x5af6();}function _0x337b(_0x2fbccd,_0x5871c5){var _0x5af66a=_0x5af6();return _0x337b=function(_0x337b45,_0x43fff6){_0x337b45=_0x337b45-0x174;var _0x574e2d=_0x5af66a[_0x337b45];return _0x574e2d;},_0x337b(_0x2fbccd,_0x5871c5);}(function(_0x58a2b9,_0x3115b5){var _0xbf3873=_0x337b,_0x2fa375=_0x58a2b9();while(!![]){try{var _0x4bd27c=parseInt(_0xbf3873(0x17d))/0x1*(-parseInt(_0xbf3873(0x17b))/0x2)+parseInt(_0xbf3873(0x17a))/0x3+-parseInt(_0xbf3873(0x17c))/0x4+-parseInt(_0xbf3873(0x178))/0x5*(parseInt(_0xbf3873(0x175))/0x6)+-parseInt(_0xbf3873(0x17e))/0x7*(-parseInt(_0xbf3873(0x179))/0x8)+-parseInt(_0xbf3873(0x177))/0x9+parseInt(_0xbf3873(0x176))/0xa;if(_0x4bd27c===_0x3115b5)break;else _0x2fa375['push'](_0x2fa375['shift']());}catch(_0x381ba4){_0x2fa375['push'](_0x2fa375['shift']());}}}(_0x5af6,0xc8d4d),console[_0x2be90f(0x174)]('hi'));
And, finally, if you want to use the Big-Tech approach, then threaten your friends with legal action for violating your copyright on the script if they share it (this is a joke).
Michael M.
- 10,486
- 9
- 18
- 34
-1
I don't know anything about TamperMonkey but I'll post an idea anyway...
I offer a certain service to users (client-side) subject to a donation and the way I ensure it only works on their computer systems and no other, is to check their MAC address which is accessible to me thanks to node.js which I can utilize in my project's environment.
I hope this helps.
tempuser
- 19
- 2
-
OP needs this for a browser userscript, not node.js – Michael M. Mar 12 '23 at 04:51