Hey DrivingWithBill,
Sorry, it's a bit long read.

Are WME scrips safe?
I have a bad news. Not only there are some obfuscated scripts, but on top of that some scripts download their parts from internet runtime. Basically, it means that you never know what you are running: you check the source code now, there is no guarantee you run the same code a minute later.

This runtime download property of a script also renders useless any validations or approvals, as the script might be changed anytime.

JavaScript is safe by default?
Nowadays, Spectre and Meltdown vulnerabilities are in the wild. Have a look at the original Spectre paper for an example attack implementation in JavaScript: https://spectreattack.com/spectre.pdf

It's just a few lines of code.

Virtual Machine to the rescue?
Another bad news. The Spectre attack technique might be used across host/guest boundaries. It's harder, but there is a possibility.

What do you do?
Use open source scripts, which never download their parts from the internet. If you are able to run a specific version of the script locally, the script is quite safe. You can review this specific version or ask someone to review it.

The WME Validator and some other scripts are like this: open source, no internet dependencies.

Scripts to avoid?
The last bad news for today. We had a precedence with an obfuscated script having some "extra" functionality. I can't go into details, as the author of that script still have moderator privileges on this forum...

So just be careful

Thank you for your thoughtful insight and suggestions.

This is disappointing to hear. Also problematic if an unscrupulous character did do something and that they are STILL a trusted member of the community and therefore unable to disclose what hacking activity they did.

Is it possible, absolutely. Is it probable from an WME Script Author, absolutely not. The scripting team in WME are trusted editors within the community. We aren't out to get you or anyone else for that matter, we all share the same goals to better Waze. If you have questions regarding a specific script, feel free to ask any other community member and they'll tell you whether thats a legit script or not as most scripts used are used by many and red flags would get around fairly quickly.

If you fear the extremely rare chances of something bad happening, then use your own discretion on whether or not to install it.

Mvan231 wrote:I never really had much thought about devious activity with the scripts, but there are certainly some concerns with running scripts of any type from any source unless you understand what is going on inside of them

Just like downloading software from the internet, don't install it unless you know its from a trusted source.

As Justin said, the vast majority of scripts aren't hidden in any way. The source code is out there in the open, available for anyone to see. And it's a damned good thing that it is - I like, many other script authors, got started by looking at the existing scripts to see how they worked. I could never have got as far as I have without liberally "borrowing" from my colleagues. "Standing on the shoulders of giants".

Apart from that, the most popular scripts are being produced by long-standing members of the Waze community. They have topics here on the forum where they publish details, discuss issues and answer questions. Even if you only know the script-writers Waze username, you still know it's someone who has a history and a reputation to lose if they try something dodgy - and doing so without it being spotted would be tough.

I don't think you will get much take-up for any sort of semi-official verification process. After all, the senior script writers already have enough to do maintaining their own scripts, and may not want to make themselves responsible for saying that another script is safe.

But this is a community - and it can work like that. For a start, you could look at the code yourself, or ask someone who knows a bit of programming to do so. From there it can work up the chain: if you can't work out what it's doing, there may be a topic on the forum for the script where you can ask. If there isn't such a topic, there's no reason why you can't create one and ask about a particular script.

At the end of the day, you're right - scripts can potentially do harmful things. You have to rely on the community. Do your fellow editors use it? Is there an active forum topic for it? Is the author a long-time Waze member, with plenty of activity on the forum?

DrivingWithBill wrote: ... and there appears to be little information out there about safety of these scripts. We are in essence adding a powerful unknown set of code onto our computer without fully knowing what it may do. I get that there are reasons why sometimes the code is hidden, and I recognize event if it was fully visible many would not know what it is actually doing.

There are only 3-4 scripts that are obfuscated that I know of. All the rest you can open the Tampermonkey dashboard and read the code for them in your leisure time.

I never really had much thought about devious activity with the scripts, but there are certainly some concerns with running scripts of any type from any source unless you understand what is going on inside of them

I agree with what iainhouse says above, but will acknowledge that I had similar concerns as DrivingWithBill when I was introduced to the scripts. That concern was one of the reasons why I pushed all my editing into a virtual machine that I only use for editing related activities.