Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Greasemonkey Extension Security Problem

Posted by CmdrTaco on from the uninstall-it-now-man dept.

Mr2001 writes "A recent thread on the Greasemonkey mailing list suggests that the popular Firefox extension is fatally insecure. It seems rogue pages can read any file from your disk and send it to any site, using an XmlHttpRequest. Time to uninstall GM?"

18 of 443 comments (clear)

  1. More Ammo by GuitarNeophyte · · Score: 5, Insightful

    Just more ammo for the mega-powers to say, "See, when it becomes mainstream, it becomes more insecure. Come back to windows."

    Marvelous.

    Luke
    ----
    Be smart. Teach others. ChristianNerds.com

    1. Re:More Ammo by ssj_195 · · Score: 4, Insightful

      If they do (as they doubtless will), you can simply say that this is an optional extension used by a minority of Firefox users (and since not even Firefox is fully "mainstream", this puts it about as far from the mainstream as you can get :P), and there are currently no exploits in the wild. You can also add that it was found by a white-hat, and so is a validation of the "many-eyes" theory, if you want. Spin works both ways ;)

    2. Re:More Ammo by arrow · · Score: 4, Insightful

      The diffrence is your spin will never be heard by the media.

      --
      symetrix. We are building a religion, a limited edition.
    3. Re:More Ammo by Phisbut · · Score: 4, Insightful
      I'd hardly call Greasemonkey "mainstream" :o)

      Plus, the solution "uninstall it until we fix it" is pretty decent when it comes to security. Think we'll ever hear "Uninstall IE until we fix it" anytime soon? :o)

      --
      After 3 days without programming, life becomes meaningless
      - The Tao of Programming
  2. What should be done. by sykjoke · · Score: 4, Insightful

    The firefox guys should have realized that extensions are a HUGE security threat, possibly even worse than anything that's come out of IE. What they should have done is setup some permissions from the first place, so that you can allow or prevent extensions from performing sensitive operations. Something similar to the Java security model would have been good enough

    1. Re:What should be done. by cybersaga · · Score: 3, Insightful

      This is why Firefox makes you whitelist a site before downloading an extension.

      Forcing you to intentionally accept extensions is not a big security threat at all.

      This is just a bug. Bugs happen. It's been fixed already.

      --
      Web Design Tips
    2. Re:What should be done. by Buzz_Litebeer · · Score: 3, Insightful

      That is incredibly uninformed. IE can run Browser Helper Objects, and they can (many times) be installed completely silently. A cleverly written BHO can steal all information you are entering into your computer, even if it is unrelated to actual browsing, depending how clever the person is in writing it. They are a pain to uninstall as well. Extensions for firefox are uninstallible from a menu, and they are whitelisted before they ever get to you, so that you can avoid some of the fly by installs that BHOS enjoy.

      --
      If you don't vote, you don't matter, so don't waste your time telling me your opinion
    3. Re:What should be done. by telecsan · · Score: 5, Insightful

      Even after you've installed an extension, you shouldn't be forced (by Firefox) to accept any and all behaviour it tries to produce. I should be able to install a toolbar and prevent it from calling home, for example. You should be able to set the permissions or at least the 'run-as' of the toolbar separately from the permissions of Firefox. Surely the security-conscious /. community should realize that.

  3. Re:Why Uninstall? by DrEldarion · · Score: 4, Insightful

    See, you're making the (frequently-made) mistake of assuming that people actually read anything but the headline of the articles they're referencing.

  4. A HELPFUL TRANSACTION. by Anonymous Coward · · Score: 5, Insightful

    (MAN) Sirs, I am in dire need of a web-browser! The one thus furnished to me by Mr. Gates of Redmond is rickety and unsafe, and prone to inviting the most deadly of spy-ware into my parlor!
    (MOZILLA SOCIETY REPRESENTATIVE) Why, good sir, we shall help you forthwith! We have exactly the web-browser that you need! It has been engineered to the most careful of specifications, and its security is without compare!
    (MAN) Why then I shall have one immediately!

    (LATER)

    (RANDOM STREET URCHIN) Sir, I see that you have this day procured a web-browser, which I see under your arm. May I convince you to also take this complex contraption of my own invention, which will attach to your web-browser as a "plug in"?
    (MAN) What, what? An inscrutable device of unclear ultimate function furnished by a stranger of whom I know nothing? Yes, yes, why not. Now run along, lad.

    (LATER THAT NIGHT, THE CONTRAPTION PROVIDED BY THE STREET URCHIN EXPLODES, SETTING THE WEB BROWSER AFLAME.)

    (MAN) What's this? Oh, mama! The web-browser I have this very day recieved from the Mozilla Society has immolated, consuming my drapes and lighting my house aflame. They told me it was secure! Lies! Betrayal! Those Mozilla Society rapscallions! I'll give them what for!

  5. ING by samjam · · Score: 3, Insightful

    StudyING it (it takes time) and they HAVE found it is not secure, just like the millions of eyes are supposed to do.

    One of them is bound to notice, eh?

    So it works! Sweet!

    Sam

    --
    blog.sam.liddicott.com
  6. Maybe I'm clueless, but... by ded_guy · · Score: 4, Insightful

    I admit that I haven't yet tried out GreaseMonkey, but when I look at the exploit code it raises one really big question. Why isn't there some way to prevent non-user script from accessing the GreaseMonkey objects? Wouldn't this allow the user to retain all the ability they have now while rendering scripts from malicious sites harmless? Seeing as how GM is meant to be a means for the user to use scripts to modify pages, it seems very odd that anything outside of user script would be able to access its functionality.

    I realize it's likely due to the nature of Firefox's JS interpreter, but if this sort of separation isn't viable could someone enlighten me as to why?

    --
    In the future, all spacecraft will be made of cheese.
  7. Playing in the sandbox by jfengel · · Score: 4, Insightful

    Why would you say that a sandbox model is overly restrictive? The Java sandbox model has many routes out; it means that you can specify what permissions an application has, not forbid all of them. The Java model comes with nearly all permissions set to "no", but they can be opened.

    That said, I haven't seen a really good way to manage permissions. It's just not practical for an applet to say, "In order to run this, you need these 47 permissions" and expect you to fix that. With cleverness the modeler could create roles with aggregates of permissions, so that you can say, "This app needs access to your browser UI" (like Tabbrowser).

    Still, that's asking the user to make a lot of security judgments based on trust. Some extensions/applets/ActiveX should be allowed to modify your hard disk; most shouldn't. How can the user tell?

    It's a hard problem, one that I don't have a good answer to. I know Microsoft's solution (based purely on a yes/no trust decision) sucks. But I'd say the problem isn't the over-restrictiveness of the sandbox, but the difficulty of asking the user to manage his/her sandbox well.

  8. Re:It's about time by Mantus · · Score: 4, Insightful

    I'm not sure why this post got modded as flamebait, It's somthing that will happen. As FF gets more popular more holes will be found, some won't get reported right away. MS aren't the only people that don't write 100% secure code.

  9. Re:Isn't it the same? by Blitzenn · · Score: 4, Insightful

    IE's vulerabilites are admittedly in the same area. It is not that IE installs bad code, it is that it allows bad code to be installed. I don't see the difference. I am not defending IE at all, but Firefox is starting to quack like a duck too, it seems to me.

    Perhaps there is some credibility to the arguement that once usage of a software package becomes widespread enough, there will be people who find ways to use it to their (malicious) advantage, regardless of the built in security features.

  10. Re:Let's Throw MUD! by Zeinfeld · · Score: 4, Insightful
    Although the "average user" won't be using the various plugins, Microsoft will still point to this as one more reason to say that FireFox isn't secure. Sure, FireFox has it's bugs. We need to get fixing them.

    And the winner of the Slashdot "Who can be the first to blame Microsoft for a bug in FOSS is..."

    The problem is not bugs, the problem is that nobody designed their systems to deal with the real security threats presented in the Internet today.

    The principle cause of Microsoft's security problems today was their addiction to 'featuritis' in the 1990s. If you think that the open source community does not have the same problem you need to take a serious look at some FOSS programs.

    There is nothing that can't be fixed but first people have to realize that FOSS has just as much need to fix them. Everyone in the security community will tell you that making the source code available does not guarantee that your code will be secured. We have enough trouble getting engineers to review their own code.

    We need a new approach to writing secure code. Before that can happen a lot of FOSS people need to loose their complacency. Microsoft is not the enemy here, the criminal gangs are the enemy.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  11. Re:The next messge in the thread is worrisome by arkanes · · Score: 3, Insightful
    Tell you what. You sue the GM developer responsible, and then I'll give a shit about your whining. Security updates that disable insecure functionality are normal and accepted. Furthermore, the manual update process is at least as much an acceptance as an EULA is.

    Gator and Weatherbug are not illegal, sadly - the EULA as justification for inclusion has been upheld. The user is in fact getting a bug fix - the bug that allowed for a major security breach is being removed. You may not like that bug fix, but sucks to be you. GM is not disabled by this update and many scripts will continue to run. Insecure scripts will not.

  12. The Firefox XPI model needs re-evaluation... by argent · · Score: 3, Insightful

    I would like to first address a lot of the people who are taking this as a chance to really dog Firefox and the Open Source Community as a failure on their part.

    I've been arguing that the Firefox XPI model needs to be re-evaluated from a security standpoint for some time now.

    1. Installing XPIs should not be initiated from a web page. They should be downloaded and manually installed, like any other application or application plug-in. This would allow any attacks that involve using the installer for privilege escalation to be eliminated.

    2. Expanded rights should not be granted to any javascript that has not been explicitly installed.

    3. As a corollary to this, any method that leads to an eval should, when run from a script that's part of chrome, unconditionally revoke those rights. A new method that explicitly evals code with greater rights with a name that makes it clear that it's dangerous can be added if it's actually necessary.