Are bookmarklets safe with facebook data?

A bookmarklet is basically a snippet of Javascript that runs on the website. As such, it has access to all your data on the site. Most bookmarklets don't do anything with your data, but it is certainly possible and you should always be careful.


This is very dangerous. Another term for this attack is Self-Inflicted XSS. This article describes a type of malware that convinces its users into executing its javascript payload and then uses Facebook chat to convince your friends to execute the same code. Thus spreading much like a worm.


You should always be careful, also, with which resources a bookmarklet accesses. For instance, one thing that's both useful and dangerous is to create a new script tag and add it to the body of the page. That allows the script to run in that page, and AFAIK it's access restrictions are the same of any other script loaded "the regular way". I've seen bookmarlets like this for Firebug Lite and Delicious, but there might be many more.

The usefullness is obvious: you can do a lot more, and much more complex tasks, using that page data. But the risk is not always obvious, since even if you reviewed the script yourself and found no problem with it, if you don't control the site where the script is coming from you can never be sure that it won't be replaced with a less secure or even malicius one.

On the other hand, I assume the script (being from a different origin) would not be able to make HTTP requests on your behalf, so its damage would be limited to data already present in your browser. But I'm not sure about this, maybe someone more knowledgable in browser access permissions can answer that.