Firefox Greasemonkey Extension Security Problem

Mr2001 writes "A recent thread on the Greasemonkey mailing list suggests that the popular Firefox extension is fatally insecure. It seems rogue pages can read any file from your disk and send it to any site, using an XmlHttpRequest. Time to uninstall GM?"

Re:Um, you don't actually use Firefox do you?

[tomhudson]

Re:Um, you don't actually use Firefox do you?

You mean like in Firefox, where when updates are available all the auto-update feature does is display a little "updates available" icon in a browser window, then offer to install the updates when you click the

You make 2 assumptions, both wrong:

1. You assume I don't use firefox - I do
2. You assume I use Windows - I don't - the update mechanism is different under linux

Calling it an update, when in actual fact its not, is not the way to engender trust among users. Its also illegal to cripple functioning software on a persons computer w/o their informed consent, as I've pointed out elsewhere.

This was decided by the courts almost 20 years ago, when L'Oreal and their IT supplier got into a dispute, and the IT supplier unilaterally disabled L'Oreal's software. The IT supplier lost, damages in the millions were awarded.

Re:It's about time

[I'm+Don+Giovanni]

Thank you.
Many slashdotters keep trotting out the IIS vs Apache canard, just assuming that Apache is more secure, when the opposite appears to be the case. That this keeps being put forth as fact brings into question the other statements thrown around here as if they are axioms with no need for any supporting evidence.

Re:It's about time

[geekboy642]

Surprisingly enough, IIS5, still in wide use, has unpatched vulnerabilities.
http://secunia.com/product/39/

Also, the only unpatched Apache exploit is an insecure temp file problem. Do you know of a decent-sized Apache-running website that allows rlogin from malicious users? That's why it's called less critical.

Also of interest is the comparison...Apache has more exploits or lesser criticality, and most require a mis-configured web-server before succeeding. Many IIS exploits are more severe, also succeeding on a properly-configured web-server.

Re:The next messge in the thread is worrisome

[tomhudson]

Nice analysis, except that I found about it from RTFA (gawd, yes, I'm actually someone who Reads The Finbe Articles. You found out my secret! Agggh! I'll have to turn in my geek card AND get a 900000-range UID! Sob :-(

All kidding aside, I wouldn't have known if I hadn't read the article. My beef wasn't with removing functionality, it was with the way it was done, and the thought processes that seemed to be behind it (at least, from what I could tell from the post that I cut-n-pasted here that started this whole thing ...)

Add that to them possibly trying to make previous versions unavailable so that anyone who DID "update" and then found that they needed the previous functionality, and were now SOL ... as I said originally, the whole mess doesn't sit right with me.

Lets take another case. If it were, for example, software that I was using on one of the servers here, and the distro maintainers decided to pull a shot like this it would make me start checking out other distros RSN. Its about trust, open communications, and how you handle a problem.

I mean, this message:

I found out that since Greasemonkey is distributed on
addons.mozilla.org it will automatically update itself, even though I
didn't put that in the code.

Neat. I'm going to upload the neutered versions at 7pm PST. It'd be
great if people could poke it a little before then.

... just doesn't pass the smell test.