Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Greasemonkey Extension Security Problem

Posted by CmdrTaco on from the uninstall-it-now-man dept.

Mr2001 writes "A recent thread on the Greasemonkey mailing list suggests that the popular Firefox extension is fatally insecure. It seems rogue pages can read any file from your disk and send it to any site, using an XmlHttpRequest. Time to uninstall GM?"

9 of 443 comments (clear)

  1. Re:First Fucked up Post, Fuckers!! by The+Cornishman · · Score: 0, Troll

    Precious mod points? Make sensible contributions, and you'll get more mod points, though what someone with no clue what to do with an apostrophe will do with mod points I do not know. Troll. And no, today I have no mod points. Goodbye.

  2. Re:The next messge in the thread is worrisome by tomhudson · · Score: 0, Troll
    As I pointed out elsewhere, disabling software on a users' computer without their consent is illegal in many areas.

    http://www.usdoj.gov/criminal/cybercrime/1030NEW.h tm

    5)(A)(i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
    Computers connected to the internet are "protected computers" under the statute. Crippling the software under the guise of an "update" is illegal.
  3. Re:More details on the exploit... by idonthack · · Score: 1, Troll

    And then they'll get hold of the contents of your home directory!
    blah markov_chain other users spiff
    And then your directory!
    .bash_login .bash_logout .gaim .gnucash .kde .kde2 .mozilla bin doc
    What next? Your buddy list from Gaim? Your bank account from GnuCash? Your address book from Thunderbird? What other security holes you have in Firefox, from extensions? Something you wanted to keep secret in your documents?

    Linux is not always safe.
    ---
    A guy walks up to his friend and sees him hitting himself on the head with a hammer. "Why are you doing that!?", he asks. "Because it feels so good when I stop.", was the reply.
    Generated by SlashdotRndSig via GreaseMonkey

    --
    Why is it that when you believe something it's an opinion, but when I believe something it's a manifesto?
  4. Re:The next messge in the thread is worrisome by tomhudson · · Score: 0, Troll
    No one is forcing you to update. If you see an upgrade is available for Greasemonkey on your Firefox updates list, it's your responsibility to go see what was changed before installing.
    You aren't giving informed consent to the update when its called an "update", and its really designed to toally cripple the software.

    It's about transparency and trust. If you can't see that, they you are just as blind as the developers who pulled this stunt.

    Its also illegal.

  5. Time for a fair fight by ICLKennyG · · Score: 0, Troll

    In what will surely be flamed or moderated down..... Mozilla(Firefox, etc) is reaching the point where competing with Microsoft becomes hard/more fair to microsoft. Their install base has grown past the "anti-microsoft-for-the-sake-of-anti-microsoft" people and now it has become a target that actually is large enough to aim at. Some estimates have Mozilla market share as high as 25%. This means that there are now people actively searching for security holes, as well as problems with updating the install base, for fear of obsoleting plugins and extentions. It will be interesting to see what happens as Mozilla foundation naturally looses momentum as they try to re-wage the browser wars. -- Posted from Mozilla 1.7.8

  6. Re:The next messge in the thread is worrisome by tomhudson · · Score: 0, Troll
    No, its not authorization any more than any of the spyware that gator or weatherbug sticks on your computer is authorization.

    Its misleading the way it was done. The user thinks they're getting an upgrade or bug fix, when in fact they're losing functionality.

    If its wrong for spammers to be dishonest to end users, its also wrong for developers. Good intentions are no excuse.

  7. Re:The next messge in the thread is worrisome by tomhudson · · Score: 0, Troll
    Tell you what. You sue the GM developer responsible, and then I'll give a shit about your whining.
    Sorry, but I'm not a district attorney. It's not up to me to prosecute criminal offenses.
    Security updates that disable insecure functionality are normal and accepted.
    ... only after proper informed consent, not sneaking them in like this:
    I found out that since Greasemonkey is distributed on addons.mozilla.org it will automatically update itself, even though I didn't put that in the code.

    Neat. I'm going to upload the neutered versions at 7pm PST. It'd be great if people could poke it a little before then.

    ... so ..
    Furthermore, the manual update process is at least as much an acceptance as an EULA is.
    Acceptance requires that you have been informed as to what you are accepting. Your argument would allow for all trojans that people click on to be considered "acceptance" - after all, they clicked on "AnnaKorina.jpg.exe" ...

    It is up to the individual, once the software has been installed on their computer, to decide whether they want to disable potentially insecure features. The original author has absolutely zero rights to try to take such an action "under the radar," and the courts have taken this position time and again.

    the people using greasemonkey aren't your average users - they're (hopefully) not complete n00bs. They should be able to decide, on an individual basis, whether the perceived benefits are greater than the potential risks.

  8. Re:The next messge in the thread is worrisome by tomhudson · · Score: 0, Troll
    Ah, don't you just hate ACs who are stupid enough NOT to read the whole thread?

    The person thinks they're getting an update, rather than being informed, as required by LAW, that the "update" decreases functionality.

    If you have an issue with this, take it up with your local congresscritter - but remember, if you allow F/LOSS developers to unilaterally sneak in degredations without informed user consent, then you also have to allow Microsoft the same liberty. Do you REALLY want that legislated into law?

    The current situation, which requires disclosure and informed consent, is the best we've come up with to date.

  9. Re:-- MODS NOTE: Parent is openly trolling. See:-- by tomhudson · · Score: 0, Troll
    ... and if they actually read my JEs they'll find that I was going to do a few Burma Shave "trolls", but never got around to it ...

    Why? Because I can't believe that anyone would be STUPID enough to try to "fix" a potential exploit in such a dumb-as way. And that, when I called "bullshit" on it, I immediately got dumped on by a bunch of syncopating knee-jerk "open source devs can do no wrong" posters who don't want us to operate to the same standards as closed-source devs? Yeah, its a flame war, all right, but its not trolling. Not in the least!

    So look at the facts:

    1. There was a "potential" - exploit. Not one in the wild. Just a possible one, that affects only a small subset of users
    2. To reduce the damage caused by their mistake, the developer unilaterally decides that its better to cripple the software through an "update" rather than give the users the information they need to make an informed decision, and decide for themselves whether they want to continue using the functions in question
    3. The (the developers) post on their list that they're going to intentionally cripple it through the update mechanism, doing an end-run around the whole informed consent issue, and, incidently acting illegally
    So, how the fuck is this trolling? Did you see a single post with a "Burma Shave" jingle in it? No ...

    More Facts:

    1. Fact: The L'Oreal case I cited was profiled on W5 almost 20 years ago. It bankrupted the IT company. Unfortunately, it's a bit before most posters time, but it established in court that developers can't unilaterally "throw the switch".:
    2. Fact: It is YOUR RIGHT to be informed as to what the intent of any update is. Not just "this is an update that closes a potential exploit", but "this is an update that will intentionally fuck up any scripts that depend on this API, so if you need to make calls to gm_API_xxxx, don't patch"
    3. Fact: We would all be bitching if Microsoft pulled something like this. They don't. Every patch contains an explanation to what its INTENDED (as opposed to accidental side-effects) effect is, and includes the possibility to "just say no."
    4. Fact: We're acting like a bunch of hypocrites if we don't hold F/LOSS to the same standards of disclosure.
    So, please tell us, mister A. C., just how the fuck this is a troll?

    As for the mods, I don't mind taking the karma hit for speaking the truth. But if they go back through my JEs, they'll also see that Troll Tuesday has ZERO to do with "trolling" in the way that you seem to think it does, and that it's more about raising the level of debate, specifically, about challenging the conventional, knee-jerk reactions that have turned slashdot into slushpot.