Slashdot Mirror
Firefox Greasemonkey Extension Security Problem
Mr2001 writes "A recent thread on the Greasemonkey mailing list suggests that the popular Firefox extension is fatally insecure. It seems rogue pages can read any file from your disk and send it to any site, using an XmlHttpRequest. Time to uninstall GM?"
It's about time people start writing some exploits for firefox!
http://www.dreamsyssoft.com
Quick, lets band together with a magician and a warrior and stomp those bow&arrow shootin mofos before they take over the internet!
Damn Microsoft! No doubt this can be traced to a Bill Gates directed consipracy against rebel browsers.
The only PT Boat Journal on the web: http://www.PT171.org
are going to produce some vulnerabilities along with the gee-whiz plugins of the moment. That's pretty spectacular, though.
Don't disappoint your bird dog. Go to the range.
Just more ammo for the mega-powers to say, "See, when it becomes mainstream, it becomes more insecure. Come back to windows."
Marvelous.
Luke
----
Be smart. Teach others. ChristianNerds.com
"Time to uninstall GM?"
Why not just do what the article says and "Install Greasemonkey 0.3.5"
My lame blog.
The firefox guys should have realized that extensions are a HUGE security threat, possibly even worse than anything that's come out of IE. What they should have done is setup some permissions from the first place, so that you can allow or prevent extensions from performing sensitive operations. Something similar to the Java security model would have been good enough
According to Firefox extensions site, you need to "uninstall or upgrade now." The post is from today.
Falun Dafa is good!
Time to try out Opera's User JavaScript.
Opera Watch - An Opera browser blog.
If you build an engine that allows you to write scripts that modify any page you view, there are obviously serious security flaws.
Allowing scripts to open files and send them elsewhere is especially bad, but there was a huge security concern to me either way. I like the concept of GreaseMonkey, but choose not to install it.
/. ++
Here are some more details from the posting thread, which explains why the exploit is so bad...
This particular exploit is much, much worse than I thought. GM_xmlhttpRequest can successfully "GET" any world-readable file on your local computer.
f ile-leak.html
returns the contents of c:\boot.ini, which exists on most modern
Windows systems.
http://diveintogreasemonkey.org/experiments/local
But wait, it gets worse. An attacker doesn't even need to know the exact filename, since "GET"ting a URL like "file:///c:/" will return a parseable directory listing. (And Mac users don't get to gloat either; you're just as vulnerable, starting with a different root URL.)
In other words, running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. Running a Greasemonkey script with "@include *" (which, BTW, is the default if no parameter is specified) can expose the contents of every file on your local hard drive to every site you visit. And, because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world.
The above information posted originally by Mark Pilgrim
A severe security issue has been discovered in Greasemonkey versions prior to 0.3.5 as well as the early 0.4 alphas which some people may have installed.
Install Greasemonkey 0.3.5 or uninstall Greasemonkey immediately.
More information on Greaseblog.
Greasemonkey is a Firefox extension which lets you to add bits of DHTML ("user scripts") to any web page to change its behavior. In much the same way that user CSS lets you take control of a web page's style, user scripts let you easily control any aspect of a web page's design or interaction.
For example, you could:
Make sure that all URLs displayed in the browser are clickable links Improve the usability of a site you frequent Route around common and annoying website bugs Use the Coral content network selectively.
Getting started:
Install Greasemonkey 0.3.5. Learn how to use Greasemonkey. Find useful scripts.
Greasemonkey was heavily inspired by Adrian Holovaty's site-specific extension for All Music Guide and the conversation which ensued after he published it. There were tons of sites I wanted to create SSE's for, but fully-fledged firefox extensions proved too cumbersome. I wanted it to be as easy to create an SSE as it is to write DHTML.
The current maintainers are Aaron Boodman and Jeremy Dunck with the invaluable help of an awesome community of user script enthusiasts.
For questions or comments about greasemonkey, please send a message to the greasemonkey mailing list. Copyright © 2000-2005. All rights reserved. Terms of Use & Privacy Policy.
Notice hoe they avoid explaining the problem/solution. They just want you to see these new exciting features, and download it now!
Time is comparison of movement to other movement.
We can blame God for all kinds of things like hurricanes and Godzilla but it's a safe bet that we brought THAT scourge upon ourselves.
EvilCON - Made Famous by
The flaw applies to Greasemonkey on all platforms.
"No one likes working in a hamster wheel, and your shop smells of cedar shavings from here." - TaleSpinner
Although the "average user" won't be using the various plugins, Microsoft will still point to this as one more reason to say that FireFox isn't secure. Sure, FireFox has it's bugs. We need to get fixing them.
I'm not saying that FireFox is perfect. Obviously, it's not, and this article is a case in point. It's still the browser I use. For me, this is a warning to fix things or wait for them to stable up (oh yeah -- that mindset shown, I am a Debian user). But just like we use any little IE thing to say "See, IE is junk," this'll get used too.
*sigh* The joys of conflict.
Luke
----
Smarten up your stupider-than-you coworkers, send them to ChristianNerds.com
Personally, someone could read my entire hard drive and it wouldn't bother me much. I don't keep sensitive information on my computer, because any computer connected to the internet should be considered insecure.
Nice try Bill, we know it's you.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Would anyone have that info to post?? Thanx
Wait, What?
Firefox burns greasemonkey cuz it's made of fat But Seamonkey beats firefox because it extinguishes the fire. Then Greasemonkey beats seamonkey because it can float in water AND walk on land. my 2.56 cents
\u262D = \u5350
Oh, wait I don't browse as root already!
Guess it can't access "all" the files on my system then, can it?
Bavarian Purity Law of Rice Krispie Squares: Rice Krispies, Marshmallows, Butter, Vanilla.
I use Greasemonkey in conjunction with NoScript - an extension which prevents any site from using Javascript unless it is added to the whitelist maintained in the extension.
To run a Greasemonkey script on a page you have to allow that domain or subdomain in NoScript. This prevents Greasemonkey being used on a rogue page as I wouldn't use a script on an uber-dodgy site anyway!.
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
(MAN) Sirs, I am in dire need of a web-browser! The one thus furnished to me by Mr. Gates of Redmond is rickety and unsafe, and prone to inviting the most deadly of spy-ware into my parlor!
(MOZILLA SOCIETY REPRESENTATIVE) Why, good sir, we shall help you forthwith! We have exactly the web-browser that you need! It has been engineered to the most careful of specifications, and its security is without compare!
(MAN) Why then I shall have one immediately!
(LATER)
(RANDOM STREET URCHIN) Sir, I see that you have this day procured a web-browser, which I see under your arm. May I convince you to also take this complex contraption of my own invention, which will attach to your web-browser as a "plug in"?
(MAN) What, what? An inscrutable device of unclear ultimate function furnished by a stranger of whom I know nothing? Yes, yes, why not. Now run along, lad.
(LATER THAT NIGHT, THE CONTRAPTION PROVIDED BY THE STREET URCHIN EXPLODES, SETTING THE WEB BROWSER AFLAME.)
(MAN) What's this? Oh, mama! The web-browser I have this very day recieved from the Mozilla Society has immolated, consuming my drapes and lighting my house aflame. They told me it was secure! Lies! Betrayal! Those Mozilla Society rapscallions! I'll give them what for!
Calm down? What that means is people will be alerted by the Mozilla update feature that an update is available. They can still not update. But this is a GOOD THING since not everyone who uses GM reads slashdot or the GM web site!
You're correct. It was discovered by a white hat.
You know, there are also other OSes than windows...
It should be up to the individuals to decide if they want to make such significant mods to their system as purposefully crippling software.
You mean like in Firefox, where when updates are available all the auto-update feature does is display a little "updates available" icon in a browser window, then offer to install the updates when you click the icon?
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
"It's not a bug it's a feature" are quite likely words never actually spoken by any representive of Microsoft.
However there is a reason for this attatude.
Bug that makes it possable to run code on remote users box:
Users say "Oh no bug bug. Get rid of it"
Develupers say "Ohh feature feature keep it, expand it"
Security experts say "Bug"
If the develupers provide a strong enough argument the "bug" is classified as a feature and remains.
I don't actually exist.
StudyING it (it takes time) and they HAVE found it is not secure, just like the millions of eyes are supposed to do.
One of them is bound to notice, eh?
So it works! Sweet!
Sam
blog.sam.liddicott.com
No matter how secure the core Firefox code is, it is all meaningless with the current extensions model. With the current model (or lack of one) a malicious (or plain buggy) extension can turn Firefox into a bigger threat than IE.
From my understanding, Firefox extensions aren't restricted from doing I/O or listening on sockets/etc. What's to prevent somebody from writing a seemingly harmless extension which silently dumps all activity logs or other information to an outside listener?
A Java type sandbox model, while a reasonable analogy would IMHO be overly restrictive for extensions, which need to be more closely tied into Firefox than most Java applets need to be to do all the cool things that they currently do (eg: the Tabbrowser Extension) .
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
It seems rogue pages can read any file from your disk and send it to any site, using an XmlHttpRequest.
Only if the browser has all the rights, which is a very dumb thing to do no matter the platform.
On my main Un*x box, Firefox was installed in a normal user account (using the
I'm pretty sure that Firefox/GM installed in a non-privileged user account under Win2000/XP doesn't allow to access any file from the hard disk either.
I'm not trying to defend poor coding/security practice made by people who certainly should know better, but it's simply misinformation to say that access to the files accessible from a user account is equivalent to "all the files on the harddisk".
In 1986 I wrote a Commodore 64 terminal program that allowed BBS' to download and run bits of assembly code onto the user's machine in order to enhance the user's experience. It took about 48 hours before someon posted a message that executed a jump to address 64738 -- system reset.
Bad idea then. Worse idea now, no matter how much supposed security you surround it with.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
I admit that I haven't yet tried out GreaseMonkey, but when I look at the exploit code it raises one really big question. Why isn't there some way to prevent non-user script from accessing the GreaseMonkey objects? Wouldn't this allow the user to retain all the ability they have now while rendering scripts from malicious sites harmless? Seeing as how GM is meant to be a means for the user to use scripts to modify pages, it seems very odd that anything outside of user script would be able to access its functionality.
I realize it's likely due to the nature of Firefox's JS interpreter, but if this sort of separation isn't viable could someone enlighten me as to why?
In the future, all spacecraft will be made of cheese.
Why would you say that a sandbox model is overly restrictive? The Java sandbox model has many routes out; it means that you can specify what permissions an application has, not forbid all of them. The Java model comes with nearly all permissions set to "no", but they can be opened.
That said, I haven't seen a really good way to manage permissions. It's just not practical for an applet to say, "In order to run this, you need these 47 permissions" and expect you to fix that. With cleverness the modeler could create roles with aggregates of permissions, so that you can say, "This app needs access to your browser UI" (like Tabbrowser).
Still, that's asking the user to make a lot of security judgments based on trust. Some extensions/applets/ActiveX should be allowed to modify your hard disk; most shouldn't. How can the user tell?
It's a hard problem, one that I don't have a good answer to. I know Microsoft's solution (based purely on a yes/no trust decision) sucks. But I'd say the problem isn't the over-restrictiveness of the sandbox, but the difficulty of asking the user to manage his/her sandbox well.
Its not a hole in Firefox....
You choose whether or not to install a plugin.
Firefox, without any extensions, is probably hundreds of times safer then IE. Comparing Firefox with a bad plugin installed to IE, which is full of holes out of the box, is like comparing a Ferrari with a flat tire to a old junker and saying the junker is better.
IE's vulerabilites are admittedly in the same area. It is not that IE installs bad code, it is that it allows bad code to be installed. I don't see the difference. I am not defending IE at all, but Firefox is starting to quack like a duck too, it seems to me.
Perhaps there is some credibility to the arguement that once usage of a software package becomes widespread enough, there will be people who find ways to use it to their (malicious) advantage, regardless of the built in security features.
While some kind of "security" layer sounds nice, I'd like to know what you suggest, specifically. A popup box saying "this site is requesting permission to read file X"? User clicks ok, every time, and they quit looking at it after a while. Then you wrote this:
There's really no way an extension to a Firefox app could get the penetration that IE had. Maybe AdBlock could get to 95% of the Firefox base, so if Firefox had 95% of the market, it could have the kind of numbers IE had in its heyday. Those are a couple of really big ifs, so I don't think your "worse than anything that's come out of IE" is at all justified. I'm not trying to hide behind obscurity, but just saying that your hyperbole is misplaced.
How many IE users have been hit by spyware? 40%, 50%, something like that? Come on.
sigs, as if you care.
---
Light is filtering down from above. Would you like to use DIVE?
Generated by SlashdotRndSig via GreaseMonkey
Why is it that when you believe something it's an opinion, but when I believe something it's a manifesto?
Internet Explorer is way more secure and reliable. I went to a porno site yesterday and a pop-up asked me if I'd like to learn how to increase my penis size! How'd they know?!!! They must be reading my mind!
The next day, IE automatically took me to that site when I opened it up! In fact this page showed me a list of other sites I might like to visit like explicit hentai, rape videos, and scat! It was as if me and my browser mind-melded!
I like that when I was asked to pay for the penis-enhancing pills that I was redirected to site 135.34.65.256 instead of having enlargeyourlittlemember.com in my history list (wanna surprise the wife..)
It's been three months and I haven't got my pills yet. I think the postman is swiping them. (always wondered how he could steer his mail jeep and hand out mail at the same time.)
Where was I? Oh yeah, Firefox is a more secure browser, just don't use monkey grease.
Gator and Weatherbug are not illegal, sadly - the EULA as justification for inclusion has been upheld. The user is in fact getting a bug fix - the bug that allowed for a major security breach is being removed. You may not like that bug fix, but sucks to be you. GM is not disabled by this update and many scripts will continue to run. Insecure scripts will not.
Huh?
Calling it an update, when in actual fact its not
I assure you, every user in the world who is not insane considers "removes a vulnerability that potentially allows any website to read your hard drive" an "update".
I also assure you that if you want to engender trust among your users, removing as immediately as possible bits that would allow any website to read your hard drive is the way to do it.
If upgrades that incidentally break features are illegal, then every single software company in the world would be in jail by now. The legal reference you are vomiting all over this comment tree has nothing whatsoever to do with what WebMonkey did today, it concerns something different.
If you're so incredibly upset that a point release of a minor third-party extension for a minority web browser broke something minor in the process of fixing a truly huge and dangerous broken aspect of the previous point release, then the thing to do would be re-install the previous point release, not come make 30 posts whining about it on slashdot.
the update mechanism is different under linux
I have not used the firefox extention functionality under linux, but the documentation indicates you are flat out wrong here.
In any case, if you wish to turn off the automatic update notify feature for extensions, instructions on how to do so can be found here.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
I'm gonna get troll rated for this, but whatever.
So basically... Mozilla is just as much of an insecure platform as IE, because they allow plug-ins.
Yeah, yeah.. It's Greasemonkey... it's some stupid add-in piece that you have to explicitly install.
But that's also the way most spyware get's on IE. People get prompted "Please download and install this, and make sure you say 'Yes' when prompted is that ok?"
and people do it...
why? Because they are promised free porn, free poker, free music, or a free trip to Nigeria to collect their $10 million.
Welcome to the real world!
It's not that minimal, really. And if you stick to extensions from mozdev.org then there's an auditing body for you, as well. Most of the useful extensions are high profile, anyway, and so they are screened by more people, because you only really need a few to actually make Firefox significantly slicker (Adblock, Bugmenot, Web developer, some kind of Tab extension)
im in ur
Moderators please be aware. If you look at The parent poster's slashdot journal you will find that in the last two entries he (1) announces a "troll tuesday" dedicated to posting trolls and (2) directly links his post here today, with the header "flamewar!".
It seems fairly clear, based on his journal entries in which he expresses an intent to troll and then links this post; and the nonsensical and extreme viewpoint expressed in the parent post, and the bait-and-switch method by which he argues one thing in the top-level post then switches to something entirely different in the replies; that "tomhudson" is purposefully trolling, then using his journal to show off his post to the troll community to gather support and possibly upmods.
Please react accordingly.
This is one of the reasons that I avoid FF. It's pretty minimal out of the box.
Pretty minimal? WTF are you smoking? Firefox does everything for me right out of the box that I could ever ask it to do. I have installed it (total time including download less then a minute in most costs) on machines all over the place in lieu of using IE. I never have to download any extensions or plugins for it.
In fact the only plugin that I have installed on FF at home is Macromedia Flash. Other then that it comes with everything I need.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Mozilla is just as much of an insecure platform as IE, because they allow plug-ins.
Not quite.
The big problem with IE is not just that it has a plug-in mechanism, but it has a plug-in mechanism that's based on the HTML control (the actual browser component) assigning the right to install plugins to an object (the web page) based on an ad-hoc security model that's based on the location the object is believed to originate. Certificates, security dialogs, and so on... these are layered on top of this, but basically the HTML control is responsible for figuring out if a "dangerous" action should be allowed with no more than hints from the calling applications, and a jargon-filled dialog box that the user has to decide on RIGHT AWAY.
I get calls from my users all the time that are variants on "this dialog box came up and I hit 'yes' without thinking".
So... the control is pervasive, it's used by lots of applications, the API can't be significantly changed without creating a mass upgrade day for every app that uses it, responsibility is placed in the wrong place, and the user interaction encourages mistakes.
Firefox's extension mechanism has a similar problem with its installer, but:
The extension installation mechanism is part of Firefox, not the Gecko HTML display object, so applications using gecko aren't automatically exposed as well.
The Firefox extension API does not depend on the installer's behaviour, it's possible for Firefox to switch to a more secure download-and-install design without breaking any applications.
The user interaction requires three separate steps, and there's no path through those steps that simply answering "yes" by reflex will result in the extension being installed.
In addition, in Windows, there have been a number of attacks that involved tricking the HTML control into thinking that a remotely downloaded object was local... or even already installed. This approach is not possible in Firefox because instead of allowing plugins to run from anywhere except the places it thinks are dangerous, it doesn't allow plugins to run from anywhere except a specific directory that's got a randomly generated name in its path so it can't be targeted by a download.
I would still recommend using a shell other than Firefox around a Gecko- or KHTML- based browser. I use Camino (Gecko) and Safari (KHTML) on Mac OS X, but I'm sure there are equivalents to these for Windows. But regardless, the exposure from using Firefox is so far less than using IE that if Firefox and IE are your only choices... use Firefox.
I do not recommend using the Netscape browser, because of the way it allows the use of either Gecko or the Microsoft HTML control.
I would like to first address a lot of the people who are taking this as a chance to really dog Firefox and the Open Source Community as a failure on their part.
.mozilla (Linux) My Documents (Windows)
/home/$USER on my machine is (700 or rwx------) which prevents /home/$USER/.mozilla/firefox/* from being displayed (and just to be safe all things ~/.mozilla/* should be 700)
/etc folder (Linux's folder for configuration) because a lot of it is owned by root with 700 or 770 permissions. So that leaves for the most part things that a hacker could have already found out if they had just used nmap on my system. Same goes for Windows.
Because someone has discovered this problem, one can now fix the problem. That is the whole idea of Open Source and all that rot. If anyone would love to submit a patch for Windows 95 to make it run longer than 52.5 days, I'm waiting. It's a known problem, why isn't it fixed? Well because someone, somewhere said they weren't going to fix Windows 95 because it's too old. Which this is the case a lot in closed source. you know there is a bug and you'd like something to be done about it, but nothing will be done unless MS sees that a patch for the software is a cost justified.
Also aside from the fact that this is an extension of Firefox, I know it's just as bad as if the package was faulty. Up till today I had never heard of this extension. So I'm not sure as to how widespread this problem is, but I'm guessing that good chunck of all Firefox users do not have GM.
To top it all off, the writers of GM have issued a fix for their extension by means of version 3.5. Yes I know it breaks API compatibilty, which sounds like something MS would do, but just like what the Mozilla team did with IDN, they turned IDNs off until they could make a good way of handling them. Which the Mozilla team came up with a fix in a fairly decent amount of time. I find it highly possible that this peice of software will do likewise. As opposed to MS breaking things with SP2 and then telling all of the vendors to just get over it, (which I will agree that only a small amount, twenty or so, of vendors got 'left behind', so not horrible, just bad.)
Now secondly, from the story, GM only returns results of files that are world readable (aka the Everyone group if you are a Windows person). Now, I'm not sure how everyone has their system setup so this could all vary from one person to another.
In Linux my home directory (the one with all my private stuff) is only owner read, write, traversable (700 or rwx------).
If I remember correctly, in Windows the C: (root) drive's premissions for the Everyone group is.
-Traverse/Execute
-List Folder/Read
-Read Attributes
-Read Permissions
(I may have missed a few because I don't have a Windows machine handy)
At no part is write premission granted to Everyone.
Therefore, your OS is mostly secure to protect you from getting some form of malware on your system.
However, this does allow someone to read data from your system if, and this is the big if, you set your private stuff as world readable (aka readable by the Everyone group.)
Which as far as I know all of your cookies and history is stored somewhere in
Which as stated previously
Now if I correctly remember for Windows, My Documents, does not even have an entry for the Everyone group to do jack crap with. I know, gasp , Windows Permissions actually working for the user?!
So this leaves the would be hacker mostly your system configuration (and not even the good parts) left open to be read. I know they can't read a bunch of my
I mean really, what good does it do one to only be able to read the boot.ini file??? "Ok, now I know you have two installs of Windows, or you use the Windows bootloader to load Linux for you (or what not.)" It's not like they can change it, only read it.
This problem isn't a very high security threat if you have some wits about you, but it is a problem indeed and it needs to be fixed. However, this problem is being hyped up as if this was allowing world write access to your system, which is just not the case.
I would like to first address a lot of the people who are taking this as a chance to really dog Firefox and the Open Source Community as a failure on their part.
I've been arguing that the Firefox XPI model needs to be re-evaluated from a security standpoint for some time now.
1. Installing XPIs should not be initiated from a web page. They should be downloaded and manually installed, like any other application or application plug-in. This would allow any attacks that involve using the installer for privilege escalation to be eliminated.
2. Expanded rights should not be granted to any javascript that has not been explicitly installed.
3. As a corollary to this, any method that leads to an eval should, when run from a script that's part of chrome, unconditionally revoke those rights. A new method that explicitly evals code with greater rights with a name that makes it clear that it's dangerous can be added if it's actually necessary.
I find it interesting that every application has to wrestle with these problems time and time again, instead of them being solved by the operating system. The reason for all this trouble is that the Access Control List security model is inherently flawed.
Using ACLs makes us adjust permissions per user basis, while it is not the user who does (good or evil) things with the computer but the processes running on behalf of the user. Thus an application can (be tricked to) do malicious things with the user's full permissions - as if the user himself was actively and knowingly destroying his data, sending it over to an eavesdropper, etc. A correct approach would be to grant permissions to do a certain operation on a certain resource per process basis. This is what the capability based security is all about. (If I am mistaken, I hope someone more enlightened in CAP theory will correct me).
I am amazed that none of the popular operating systems implement capability based security models, since they would eliminate Confused Deputy Problems like this.
Some random links relating to Capability based security: