Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Greasemonkey Extension Security Problem

Posted by CmdrTaco on from the uninstall-it-now-man dept.

Mr2001 writes "A recent thread on the Greasemonkey mailing list suggests that the popular Firefox extension is fatally insecure. It seems rogue pages can read any file from your disk and send it to any site, using an XmlHttpRequest. Time to uninstall GM?"

14 of 443 comments (clear)

  1. Why Uninstall? by SenFo · · Score: 5, Informative

    "Time to uninstall GM?"

    Why not just do what the article says and "Install Greasemonkey 0.3.5"

    --
    My lame blog.
    1. Re:Why Uninstall? by phasm42 · · Score: 4, Informative
      Because:
      Greasemonkey 0.3.5 is a "neutered" version of Greasemonkey, lacking any of the GM* APIs which make Greasemonkey scripts more powerful than regular HTML. This means that scripts which depend on GM* APIs will fail with Greasemonkey 0.3.5.
      --
      "No one likes working in a hamster wheel, and your shop smells of cedar shavings from here." - TaleSpinner
    2. Re:Why Uninstall? by Anonymous Coward · · Score: 3, Informative

      The idea is that the scripts which you let loose on the page can use the GM API to do things which are beyond (unsigned) web scripting, like reading a preferences file. These capabilities are only meant to be used by GM scripts. The problem is that scripts don't work on the page "from the outside". They are injected into the page. The GM API can't properly tell a webscript from a GM script. Consequently webauthors can access the GM API from scripts which come with the webpage. It's cross site scripting, so to speak, where one site is the webpage and the other is the (indistinguishable) GM context.

    3. Re:Why Uninstall? by sketerpot · · Score: 3, Informative

      This isn't a big deal. It means you lose: 1. Logging of GM script debug messages. Inconvenient if you're a script author, but not for anyone else. 2. Script-specific configuration values. I don't think these are commonly used, but they could be nice to have. Oh well, chances are your scripts will keep working. 3. Adding commands to the Tools->User Script Commands submenu. If, like me, you didn't know this submenu even existed, no loss. 4. Fancy GM_XmlHttpRequest. This is just like XmlHttpRequest but without domain restrictions. This may cause a few extensions to stop working (not many, but a few), but it also closes the security hole.

  2. Here's TFA by RamboIII · · Score: 3, Informative
    Important Announcement

    A severe security issue has been discovered in Greasemonkey versions prior to 0.3.5 as well as the early 0.4 alphas which some people may have installed.

    Install Greasemonkey 0.3.5 or uninstall Greasemonkey immediately.

    More information on Greaseblog.

    Greasemonkey is a Firefox extension which lets you to add bits of DHTML ("user scripts") to any web page to change its behavior. In much the same way that user CSS lets you take control of a web page's style, user scripts let you easily control any aspect of a web page's design or interaction.

    For example, you could:
    Make sure that all URLs displayed in the browser are clickable links Improve the usability of a site you frequent Route around common and annoying website bugs Use the Coral content network selectively.

    Getting started:
    Install Greasemonkey 0.3.5. Learn how to use Greasemonkey. Find useful scripts.

    Greasemonkey was heavily inspired by Adrian Holovaty's site-specific extension for All Music Guide and the conversation which ensued after he published it. There were tons of sites I wanted to create SSE's for, but fully-fledged firefox extensions proved too cumbersome. I wanted it to be as easy to create an SSE as it is to write DHTML.

    The current maintainers are Aaron Boodman and Jeremy Dunck with the invaluable help of an awesome community of user script enthusiasts.

    For questions or comments about greasemonkey, please send a message to the greasemonkey mailing list. Copyright © 2000-2005. All rights reserved. Terms of Use & Privacy Policy.

    Notice hoe they avoid explaining the problem/solution. They just want you to see these new exciting features, and download it now!

    --
    Time is comparison of movement to other movement.
  3. Re:Windows Feature? by phasm42 · · Score: 3, Informative

    The flaw applies to Greasemonkey on all platforms.

    --
    "No one likes working in a hamster wheel, and your shop smells of cedar shavings from here." - TaleSpinner
  4. Re:But, but, but by Koiu+Lpoi · · Score: 4, Informative

    You're correct. It was discovered by a white hat.

  5. Um, you don't actually use Firefox do you? by mcc · · Score: 3, Informative

    It should be up to the individuals to decide if they want to make such significant mods to their system as purposefully crippling software.

    You mean like in Firefox, where when updates are available all the auto-update feature does is display a little "updates available" icon in a browser window, then offer to install the updates when you click the icon?

    --
    Irritable, left-wing and possibly humorous bumper stickers and t-shirts
  6. Re:Uninstall / Remove by AnObfuscator · · Score: 3, Informative

    Go to "tools", go to "Extensions", click on the greasmonkey extension and click "uninstall" or "update".

    --
    multifariam.net -- yet another nerd blog
  7. 1986 by Spazmania · · Score: 4, Informative

    In 1986 I wrote a Commodore 64 terminal program that allowed BBS' to download and run bits of assembly code onto the user's machine in order to enhance the user's experience. It took about 48 hours before someon posted a message that executed a jump to address 64738 -- system reset.

    Bad idea then. Worse idea now, no matter how much supposed security you surround it with.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  8. Re:What should be done. by westlake · · Score: 3, Informative
    Browser Helper Objects...can be installed completely silently...They are a pain to uninstall as well

    Microsoft's Anti-Spyware monitors the installation of BHOs. BHOs can easily be blocked or removed: MS Antispyware > Advanced Tools > System Explorers > Internet Explorer > IE BHOs.

  9. Re:It's about time by ad0gg · · Score: 4, Informative
    Umm IIS6 has less exploits and no unpatched vunerabilities compared to Apache 2.0.x which still has unpatched vunerabilities.

    IIS 6 Exploits
    Apache 2.0x.

    Please do some basic research before making comments on security.

    --

    Have you ever been to a turkish prison?

  10. Re:More details on the exploit... by DavidTC · · Score: 3, Informative
    People who don't understand this security flaw need to SHUT THE FUCK UP.

    Greasemonkey 'adds' stuff to Javascript. Any page on the internet can use these additions.

    If you have Greasemonkey installed, and Javascript enabled (Greasemonkey is rather pointless without Javascript anyway.), you are at risk.

    You can't 'be safe' by only doing certain things, because the flaw is that any page on the internet can call Greasemonkey functions. (Any page that can use Javascript, at least.) It has nothing to do with you.

    It is possible to use Greasemonkey with the NoScript extension to disable Javascript globally and then re-enable it only on a few trusted sites...but no one uses Greasemonkey on 'trusted' sites, we use(d) it to hack up stupid-ass pages that had eight square inch of content per page with the rest ads and fancy graphics.

    If you absolutely require Greasemonkey to make some internal site work, and are willing to disable Javascript on the entire rest of the internet, NoScript might be worth a try. Otherwise, get rid of Greasemonkey, NOW.

    --
    If corporations are people, aren't stockholders guilty of slavery?
  11. Re:It's about time by jerw134 · · Score: 4, Informative

    Surprisingly enough, IIS5, still in wide use, has unpatched vulnerabilities.

    OK, stop with the pure FUD. Using the Secunia link you provided, it shows that IIS5 has one unpatched vulnerability, which is rated Not Critical, which is the lowest rating possible. Not only are the unpatched flaws in Apache more serious, there are also more of them! Please, stop with the BS.