Greasemonkey, in case you haven’t heard of it, is a handy extension for Firefox that allows you to change web pages on-the-fly. For instance, suppose you want continuous updating in Bloglines (so that the left pane with your feeds is always up-to-date? Not a problem. Or maybe you want tag auto-completion in del.icio.us? Can do.
Overall, Greasemonkey is pretty sweet. Unfortunately, a security hole has come to light over the past couple days. Mark Pilgrim, known for his sites Dive Into Mark and Dive Into Greasemonkey, explained it this way:
“This particular exploit is much, much worse than I thought. GM_xmlhttpRequest can successfully ‘GET’ any world-readable file on your local computer.
“[this test page] returns the contents of c:\boot.ini, which exists on most modern Windows systems.
“In other words, running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. […] ”
In a later message to the Greasemonkey mailing list, he sounded the alarm:
“Uninstall Greasemonkey altogether. At this point, I don’t trust having it on my computer at all. […]
“[…] And I’m posting a big red blinking warning on every page of diveintogreasemonkey.org advising visitors to uninstall it, until all of these security holes are closed. This is why God invented the <blink> tag.”
I liked his reference to the <blink> tag there; and, yes, security holes and impending nuclear meltdowns are about its only appropriate uses (HHOS). That aside, I have uninstalled Greasemonkey for now. However, I look forward to re-enabling it once the developers work past this.