Security Hole in Greasemonkey

Greasemonkey, in case you haven’t heard of it, is a handy extension for Firefox that allows you to change web pages on-the-fly. For instance, suppose you want continuous updating in Bloglines (so that the left pane with your feeds is always up-to-date? Not a problem. Or maybe you want tag auto-completion in del.icio.us? Can do.

Overall, Greasemonkey is pretty sweet. Unfortunately, a security hole has come to light over the past couple days. Mark Pilgrim, known for his sites Dive Into Mark and Dive Into Greasemonkey, explained it this way:

“This particular exploit is much, much worse than I thought. GM_xmlhttpRequest can successfully ‘GET’ any world-readable file on your local computer.

[this test page] returns the contents of c:\boot.ini, which exists on most modern Windows systems.

[…]

“In other words, running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. […] ”

In a later message to the Greasemonkey mailing list, he sounded the alarm:

“Uninstall Greasemonkey altogether. At this point, I don’t trust having it on my computer at all. […]

“[…] And I’m posting a big red blinking warning on every page of diveintogreasemonkey.org advising visitors to uninstall it, until all of these security holes are closed. This is why God invented the <blink> tag.”

I liked his reference to the <blink> tag there; and, yes, security holes and impending nuclear meltdowns are about its only appropriate uses (HHOS). That aside, I have uninstalled Greasemonkey for now. However, I look forward to re-enabling it once the developers work past this.

(Via: Anil, via Leia/IM)

One thought on “Security Hole in Greasemonkey

  1. Precaución con Greasemonkey

    Al parecer, debido al sistema que usa Greasemonkey para inyectar código al cargar las webs, éstas pueden leer los scripts que se cargan en ella. Podéis comprobarlo en esta prueba de concepto.
    Esto tiene algunas implicaciones peligrosas.
    La primer…

Leave a Reply to molgar.net Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.