Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Greasemonkey Extension Security Problem

Posted by CmdrTaco on from the uninstall-it-now-man dept.

Mr2001 writes "A recent thread on the Greasemonkey mailing list suggests that the popular Firefox extension is fatally insecure. It seems rogue pages can read any file from your disk and send it to any site, using an XmlHttpRequest. Time to uninstall GM?"

49 of 443 comments (clear)

  1. It's about time by rockytriton · · Score: 4, Funny

    It's about time people start writing some exploits for firefox!

    http://www.dreamsyssoft.com

    1. Re:It's about time by Mantus · · Score: 4, Insightful

      I'm not sure why this post got modded as flamebait, It's somthing that will happen. As FF gets more popular more holes will be found, some won't get reported right away. MS aren't the only people that don't write 100% secure code.

    2. Re:It's about time by ad0gg · · Score: 4, Informative
      Umm IIS6 has less exploits and no unpatched vunerabilities compared to Apache 2.0.x which still has unpatched vunerabilities.

      IIS 6 Exploits
      Apache 2.0x.

      Please do some basic research before making comments on security.

      --

      Have you ever been to a turkish prison?

    3. Re:It's about time by jerw134 · · Score: 4, Informative

      Surprisingly enough, IIS5, still in wide use, has unpatched vulnerabilities.

      OK, stop with the pure FUD. Using the Secunia link you provided, it shows that IIS5 has one unpatched vulnerability, which is rated Not Critical, which is the lowest rating possible. Not only are the unpatched flaws in Apache more serious, there are also more of them! Please, stop with the BS.

  2. gauntlet by Anonymous Coward · · Score: 4, Funny
    Rogue pages???

    Quick, lets band together with a magician and a warrior and stomp those bow&arrow shootin mofos before they take over the internet!

    1. Re:gauntlet by adrianbaugh · · Score: 4, Funny

      You have been killed by a Firefox on Level 8 with 5439 Gold. RIP.

      --
      "'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
      - JRR Tolkien.
    2. Re:gauntlet by wuie · · Score: 5, Funny

      Yellow wizard needs patch badly.

    3. Re:gauntlet by TheScottishGuy · · Score: 5, Funny

      Blue browser is about to die.

  3. More Ammo by GuitarNeophyte · · Score: 5, Insightful

    Just more ammo for the mega-powers to say, "See, when it becomes mainstream, it becomes more insecure. Come back to windows."

    Marvelous.

    Luke
    ----
    Be smart. Teach others. ChristianNerds.com

    1. Re:More Ammo by ssj_195 · · Score: 4, Insightful

      If they do (as they doubtless will), you can simply say that this is an optional extension used by a minority of Firefox users (and since not even Firefox is fully "mainstream", this puts it about as far from the mainstream as you can get :P), and there are currently no exploits in the wild. You can also add that it was found by a white-hat, and so is a validation of the "many-eyes" theory, if you want. Spin works both ways ;)

    2. Re:More Ammo by FidelCatsro · · Score: 5, Funny

      They can say "Come back to windows , no need for third party extensions for these types of flaws .They are built into MSIE/windows , It just works"

      --
      The only things certain in war are Propaganda and Death. You can never be sure which is which though
    3. Re:More Ammo by arrow · · Score: 4, Insightful

      The diffrence is your spin will never be heard by the media.

      --
      symetrix. We are building a religion, a limited edition.
    4. Re:More Ammo by Phisbut · · Score: 4, Insightful
      I'd hardly call Greasemonkey "mainstream" :o)

      Plus, the solution "uninstall it until we fix it" is pretty decent when it comes to security. Think we'll ever hear "Uninstall IE until we fix it" anytime soon? :o)

      --
      After 3 days without programming, life becomes meaningless
      - The Tao of Programming
  4. Why Uninstall? by SenFo · · Score: 5, Informative

    "Time to uninstall GM?"

    Why not just do what the article says and "Install Greasemonkey 0.3.5"

    --
    My lame blog.
    1. Re:Why Uninstall? by DrEldarion · · Score: 4, Insightful

      See, you're making the (frequently-made) mistake of assuming that people actually read anything but the headline of the articles they're referencing.

    2. Re:Why Uninstall? by phasm42 · · Score: 4, Informative
      Because:
      Greasemonkey 0.3.5 is a "neutered" version of Greasemonkey, lacking any of the GM* APIs which make Greasemonkey scripts more powerful than regular HTML. This means that scripts which depend on GM* APIs will fail with Greasemonkey 0.3.5.
      --
      "No one likes working in a hamster wheel, and your shop smells of cedar shavings from here." - TaleSpinner
    3. Re:Why Uninstall? by CdBee · · Score: 3, Interesting

      Just install NoScript and you're sorted. It will stop any script - Greasemonkey or otherwise - running on any site except those you whitelist. I'm sure most of us only use scripts on sites we trust anyway

      --
      I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
    4. Re:Why Uninstall? by jdavidb · · Score: 4, Interesting

      I thought that GM was a way for me, the web user, to impose some scripted changes onto pages. I didn't realize it was used by site-designers to do anything HTML (+JavaScript, etc.) didn't allow.

      I don't want to give site-designers any more power, so if that's prevented by neutering GM, I'm fine with that.

      --
      Secession is the right of all sentient beings.
    5. Re:Why Uninstall? by Anonymous Coward · · Score: 3, Informative

      The idea is that the scripts which you let loose on the page can use the GM API to do things which are beyond (unsigned) web scripting, like reading a preferences file. These capabilities are only meant to be used by GM scripts. The problem is that scripts don't work on the page "from the outside". They are injected into the page. The GM API can't properly tell a webscript from a GM script. Consequently webauthors can access the GM API from scripts which come with the webpage. It's cross site scripting, so to speak, where one site is the webpage and the other is the (indistinguishable) GM context.

    6. Re:Why Uninstall? by sketerpot · · Score: 3, Informative

      This isn't a big deal. It means you lose: 1. Logging of GM script debug messages. Inconvenient if you're a script author, but not for anyone else. 2. Script-specific configuration values. I don't think these are commonly used, but they could be nice to have. Oh well, chances are your scripts will keep working. 3. Adding commands to the Tools->User Script Commands submenu. If, like me, you didn't know this submenu even existed, no loss. 4. Fancy GM_XmlHttpRequest. This is just like XmlHttpRequest but without domain restrictions. This may cause a few extensions to stop working (not many, but a few), but it also closes the security hole.

  5. What should be done. by sykjoke · · Score: 4, Insightful

    The firefox guys should have realized that extensions are a HUGE security threat, possibly even worse than anything that's come out of IE. What they should have done is setup some permissions from the first place, so that you can allow or prevent extensions from performing sensitive operations. Something similar to the Java security model would have been good enough

    1. Re:What should be done. by cybersaga · · Score: 3, Insightful

      This is why Firefox makes you whitelist a site before downloading an extension.

      Forcing you to intentionally accept extensions is not a big security threat at all.

      This is just a bug. Bugs happen. It's been fixed already.

      --
      Web Design Tips
    2. Re:What should be done. by Buzz_Litebeer · · Score: 3, Insightful

      That is incredibly uninformed. IE can run Browser Helper Objects, and they can (many times) be installed completely silently. A cleverly written BHO can steal all information you are entering into your computer, even if it is unrelated to actual browsing, depending how clever the person is in writing it. They are a pain to uninstall as well. Extensions for firefox are uninstallible from a menu, and they are whitelisted before they ever get to you, so that you can avoid some of the fly by installs that BHOS enjoy.

      --
      If you don't vote, you don't matter, so don't waste your time telling me your opinion
    3. Re:What should be done. by westlake · · Score: 3, Informative
      Browser Helper Objects...can be installed completely silently...They are a pain to uninstall as well

      Microsoft's Anti-Spyware monitors the installation of BHOs. BHOs can easily be blocked or removed: MS Antispyware > Advanced Tools > System Explorers > Internet Explorer > IE BHOs.

    4. Re:What should be done. by telecsan · · Score: 5, Insightful

      Even after you've installed an extension, you shouldn't be forced (by Firefox) to accept any and all behaviour it tries to produce. I should be able to install a toolbar and prevent it from calling home, for example. You should be able to set the permissions or at least the 'run-as' of the toolbar separately from the permissions of Firefox. Surely the security-conscious /. community should realize that.

  6. What did they expect? by Nytewynd · · Score: 4, Interesting

    If you build an engine that allows you to write scripts that modify any page you view, there are obviously serious security flaws.

    Allowing scripts to open files and send them elsewhere is especially bad, but there was a huge security concern to me either way. I like the concept of GreaseMonkey, but choose not to install it.

    --
    /. ++
  7. More details on the exploit... by octaene · · Score: 5, Interesting

    Here are some more details from the posting thread, which explains why the exploit is so bad...

    This particular exploit is much, much worse than I thought. GM_xmlhttpRequest can successfully "GET" any world-readable file on your local computer.

    http://diveintogreasemonkey.org/experiments/localf ile-leak.html returns the contents of c:\boot.ini, which exists on most modern Windows systems.

    But wait, it gets worse. An attacker doesn't even need to know the exact filename, since "GET"ting a URL like "file:///c:/" will return a parseable directory listing. (And Mac users don't get to gloat either; you're just as vulnerable, starting with a different root URL.)

    In other words, running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. Running a Greasemonkey script with "@include *" (which, BTW, is the default if no parameter is specified) can expose the contents of every file on your local hard drive to every site you visit. And, because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world.

    The above information posted originally by Mark Pilgrim

    1. Re:More details on the exploit... by DavidTC · · Score: 3, Informative
      People who don't understand this security flaw need to SHUT THE FUCK UP.

      Greasemonkey 'adds' stuff to Javascript. Any page on the internet can use these additions.

      If you have Greasemonkey installed, and Javascript enabled (Greasemonkey is rather pointless without Javascript anyway.), you are at risk.

      You can't 'be safe' by only doing certain things, because the flaw is that any page on the internet can call Greasemonkey functions. (Any page that can use Javascript, at least.) It has nothing to do with you.

      It is possible to use Greasemonkey with the NoScript extension to disable Javascript globally and then re-enable it only on a few trusted sites...but no one uses Greasemonkey on 'trusted' sites, we use(d) it to hack up stupid-ass pages that had eight square inch of content per page with the rest ads and fancy graphics.

      If you absolutely require Greasemonkey to make some internal site work, and are willing to disable Javascript on the entire rest of the internet, NoScript might be worth a try. Otherwise, get rid of Greasemonkey, NOW.

      --
      If corporations are people, aren't stockholders guilty of slavery?
  8. Here's TFA by RamboIII · · Score: 3, Informative
    Important Announcement

    A severe security issue has been discovered in Greasemonkey versions prior to 0.3.5 as well as the early 0.4 alphas which some people may have installed.

    Install Greasemonkey 0.3.5 or uninstall Greasemonkey immediately.

    More information on Greaseblog.

    Greasemonkey is a Firefox extension which lets you to add bits of DHTML ("user scripts") to any web page to change its behavior. In much the same way that user CSS lets you take control of a web page's style, user scripts let you easily control any aspect of a web page's design or interaction.

    For example, you could:
    Make sure that all URLs displayed in the browser are clickable links Improve the usability of a site you frequent Route around common and annoying website bugs Use the Coral content network selectively.

    Getting started:
    Install Greasemonkey 0.3.5. Learn how to use Greasemonkey. Find useful scripts.

    Greasemonkey was heavily inspired by Adrian Holovaty's site-specific extension for All Music Guide and the conversation which ensued after he published it. There were tons of sites I wanted to create SSE's for, but fully-fledged firefox extensions proved too cumbersome. I wanted it to be as easy to create an SSE as it is to write DHTML.

    The current maintainers are Aaron Boodman and Jeremy Dunck with the invaluable help of an awesome community of user script enthusiasts.

    For questions or comments about greasemonkey, please send a message to the greasemonkey mailing list. Copyright © 2000-2005. All rights reserved. Terms of Use & Privacy Policy.

    Notice hoe they avoid explaining the problem/solution. They just want you to see these new exciting features, and download it now!

    --
    Time is comparison of movement to other movement.
  9. Our Fault by Comatose51 · · Score: 4, Funny
    This is why God invented the tag.

    We can blame God for all kinds of things like hurricanes and Godzilla but it's a safe bet that we brought THAT scourge upon ourselves.

    --
    EvilCON - Made Famous by /.
  10. Re:Windows Feature? by phasm42 · · Score: 3, Informative

    The flaw applies to Greasemonkey on all platforms.

    --
    "No one likes working in a hamster wheel, and your shop smells of cedar shavings from here." - TaleSpinner
  11. Re:Is that really a problem? by grasshoppa · · Score: 3, Funny

    Personally, someone could read my entire hard drive and it wouldn't bother me much. I don't keep sensitive information on my computer, because any computer connected to the internet should be considered insecure.

    Nice try Bill, we know it's you.

    --
    Mod me down with all of your hatred and your journey towards the dark side will be complete!
  12. Rock paper cissors by Arthur+B. · · Score: 3, Funny

    Firefox burns greasemonkey cuz it's made of fat But Seamonkey beats firefox because it extinguishes the fire. Then Greasemonkey beats seamonkey because it can float in water AND walk on land. my 2.56 cents

    --
    \u262D = \u5350
  13. Possible solution - NoScript extension is great ! by CdBee · · Score: 5, Interesting

    I use Greasemonkey in conjunction with NoScript - an extension which prevents any site from using Javascript unless it is added to the whitelist maintained in the extension.

    To run a Greasemonkey script on a page you have to allow that domain or subdomain in NoScript. This prevents Greasemonkey being used on a rogue page as I wouldn't use a script on an uber-dodgy site anyway!.

    --
    I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
  14. A HELPFUL TRANSACTION. by Anonymous Coward · · Score: 5, Insightful

    (MAN) Sirs, I am in dire need of a web-browser! The one thus furnished to me by Mr. Gates of Redmond is rickety and unsafe, and prone to inviting the most deadly of spy-ware into my parlor!
    (MOZILLA SOCIETY REPRESENTATIVE) Why, good sir, we shall help you forthwith! We have exactly the web-browser that you need! It has been engineered to the most careful of specifications, and its security is without compare!
    (MAN) Why then I shall have one immediately!

    (LATER)

    (RANDOM STREET URCHIN) Sir, I see that you have this day procured a web-browser, which I see under your arm. May I convince you to also take this complex contraption of my own invention, which will attach to your web-browser as a "plug in"?
    (MAN) What, what? An inscrutable device of unclear ultimate function furnished by a stranger of whom I know nothing? Yes, yes, why not. Now run along, lad.

    (LATER THAT NIGHT, THE CONTRAPTION PROVIDED BY THE STREET URCHIN EXPLODES, SETTING THE WEB BROWSER AFLAME.)

    (MAN) What's this? Oh, mama! The web-browser I have this very day recieved from the Mozilla Society has immolated, consuming my drapes and lighting my house aflame. They told me it was secure! Lies! Betrayal! Those Mozilla Society rapscallions! I'll give them what for!

  15. Re:GreaseMonkey Problem by wheany · · Score: 4, Funny

    Okay, how's this: Since Microsoft Internet Explorer has a dominant market share, people make pages that work on IE. Some of the pages do not work on Firefox since they use some functionality found only in IE. Greasemonkey can be used to alter some of those pages so that they work on Firefox again.

    It's Microsoft's fault that people have to install insecure extensions to make web work like it should have worked in the first place.

  16. Re:But, but, but by Koiu+Lpoi · · Score: 4, Informative

    You're correct. It was discovered by a white hat.

  17. Um, you don't actually use Firefox do you? by mcc · · Score: 3, Informative

    It should be up to the individuals to decide if they want to make such significant mods to their system as purposefully crippling software.

    You mean like in Firefox, where when updates are available all the auto-update feature does is display a little "updates available" icon in a browser window, then offer to install the updates when you click the icon?

    --
    Irritable, left-wing and possibly humorous bumper stickers and t-shirts
  18. ING by samjam · · Score: 3, Insightful

    StudyING it (it takes time) and they HAVE found it is not secure, just like the millions of eyes are supposed to do.

    One of them is bound to notice, eh?

    So it works! Sweet!

    Sam

    --
    blog.sam.liddicott.com
  19. Re:Uninstall / Remove by AnObfuscator · · Score: 3, Informative

    Go to "tools", go to "Extensions", click on the greasmonkey extension and click "uninstall" or "update".

    --
    multifariam.net -- yet another nerd blog
  20. 1986 by Spazmania · · Score: 4, Informative

    In 1986 I wrote a Commodore 64 terminal program that allowed BBS' to download and run bits of assembly code onto the user's machine in order to enhance the user's experience. It took about 48 hours before someon posted a message that executed a jump to address 64738 -- system reset.

    Bad idea then. Worse idea now, no matter how much supposed security you surround it with.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  21. Maybe I'm clueless, but... by ded_guy · · Score: 4, Insightful

    I admit that I haven't yet tried out GreaseMonkey, but when I look at the exploit code it raises one really big question. Why isn't there some way to prevent non-user script from accessing the GreaseMonkey objects? Wouldn't this allow the user to retain all the ability they have now while rendering scripts from malicious sites harmless? Seeing as how GM is meant to be a means for the user to use scripts to modify pages, it seems very odd that anything outside of user script would be able to access its functionality.

    I realize it's likely due to the nature of Firefox's JS interpreter, but if this sort of separation isn't viable could someone enlighten me as to why?

    --
    In the future, all spacecraft will be made of cheese.
    1. Re:Maybe I'm clueless, but... by Rits · · Score: 4, Interesting

      Greasemonkey inserts the script directly in the pages, so the GM scripts have the same security context as the page itself. Or so I've understood, correct me if I'm wrong.

      In the really integrated solution like Opera has (as opposed to an extension like GM is), userscripts have their own security context. The really powerful functions in Opera's userscript are not available to the page author. All functions in GM, including the most powerful, are available to the page author, and Mark Pilgrim just found out this includes unlimited read access to your local file system.

      The GM developers are aware that this is a problem, but haven't developed a better way yet to inject the scripts in the page. So the newly secure release 0.3.5 removes the most powerful functions.

      --
      If you don't like having choices made for you, you should start making your own. - Neal Stephenson
  22. Playing in the sandbox by jfengel · · Score: 4, Insightful

    Why would you say that a sandbox model is overly restrictive? The Java sandbox model has many routes out; it means that you can specify what permissions an application has, not forbid all of them. The Java model comes with nearly all permissions set to "no", but they can be opened.

    That said, I haven't seen a really good way to manage permissions. It's just not practical for an applet to say, "In order to run this, you need these 47 permissions" and expect you to fix that. With cleverness the modeler could create roles with aggregates of permissions, so that you can say, "This app needs access to your browser UI" (like Tabbrowser).

    Still, that's asking the user to make a lot of security judgments based on trust. Some extensions/applets/ActiveX should be allowed to modify your hard disk; most shouldn't. How can the user tell?

    It's a hard problem, one that I don't have a good answer to. I know Microsoft's solution (based purely on a yes/no trust decision) sucks. But I'd say the problem isn't the over-restrictiveness of the sandbox, but the difficulty of asking the user to manage his/her sandbox well.

  23. Re:Isn't it the same? by Blitzenn · · Score: 4, Insightful

    IE's vulerabilites are admittedly in the same area. It is not that IE installs bad code, it is that it allows bad code to be installed. I don't see the difference. I am not defending IE at all, but Firefox is starting to quack like a duck too, it seems to me.

    Perhaps there is some credibility to the arguement that once usage of a software package becomes widespread enough, there will be people who find ways to use it to their (malicious) advantage, regardless of the built in security features.

  24. Re:Let's Throw MUD! by Zeinfeld · · Score: 4, Insightful
    Although the "average user" won't be using the various plugins, Microsoft will still point to this as one more reason to say that FireFox isn't secure. Sure, FireFox has it's bugs. We need to get fixing them.

    And the winner of the Slashdot "Who can be the first to blame Microsoft for a bug in FOSS is..."

    The problem is not bugs, the problem is that nobody designed their systems to deal with the real security threats presented in the Internet today.

    The principle cause of Microsoft's security problems today was their addiction to 'featuritis' in the 1990s. If you think that the open source community does not have the same problem you need to take a serious look at some FOSS programs.

    There is nothing that can't be fixed but first people have to realize that FOSS has just as much need to fix them. Everyone in the security community will tell you that making the source code available does not guarantee that your code will be secured. We have enough trouble getting engineers to review their own code.

    We need a new approach to writing secure code. Before that can happen a lot of FOSS people need to loose their complacency. Microsoft is not the enemy here, the criminal gangs are the enemy.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  25. Re:The next messge in the thread is worrisome by arkanes · · Score: 3, Insightful
    Tell you what. You sue the GM developer responsible, and then I'll give a shit about your whining. Security updates that disable insecure functionality are normal and accepted. Furthermore, the manual update process is at least as much an acceptance as an EULA is.

    Gator and Weatherbug are not illegal, sadly - the EULA as justification for inclusion has been upheld. The user is in fact getting a bug fix - the bug that allowed for a major security breach is being removed. You may not like that bug fix, but sucks to be you. GM is not disabled by this update and many scripts will continue to run. Insecure scripts will not.

  26. If a cold is no better than pneumonia... by argent · · Score: 4, Interesting

    Mozilla is just as much of an insecure platform as IE, because they allow plug-ins.

    Not quite.

    The big problem with IE is not just that it has a plug-in mechanism, but it has a plug-in mechanism that's based on the HTML control (the actual browser component) assigning the right to install plugins to an object (the web page) based on an ad-hoc security model that's based on the location the object is believed to originate. Certificates, security dialogs, and so on... these are layered on top of this, but basically the HTML control is responsible for figuring out if a "dangerous" action should be allowed with no more than hints from the calling applications, and a jargon-filled dialog box that the user has to decide on RIGHT AWAY.

    I get calls from my users all the time that are variants on "this dialog box came up and I hit 'yes' without thinking".

    So... the control is pervasive, it's used by lots of applications, the API can't be significantly changed without creating a mass upgrade day for every app that uses it, responsibility is placed in the wrong place, and the user interaction encourages mistakes.

    Firefox's extension mechanism has a similar problem with its installer, but:

    The extension installation mechanism is part of Firefox, not the Gecko HTML display object, so applications using gecko aren't automatically exposed as well.

    The Firefox extension API does not depend on the installer's behaviour, it's possible for Firefox to switch to a more secure download-and-install design without breaking any applications.

    The user interaction requires three separate steps, and there's no path through those steps that simply answering "yes" by reflex will result in the extension being installed.

    In addition, in Windows, there have been a number of attacks that involved tricking the HTML control into thinking that a remotely downloaded object was local... or even already installed. This approach is not possible in Firefox because instead of allowing plugins to run from anywhere except the places it thinks are dangerous, it doesn't allow plugins to run from anywhere except a specific directory that's got a randomly generated name in its path so it can't be targeted by a download.

    I would still recommend using a shell other than Firefox around a Gecko- or KHTML- based browser. I use Camino (Gecko) and Safari (KHTML) on Mac OS X, but I'm sure there are equivalents to these for Windows. But regardless, the exposure from using Firefox is so far less than using IE that if Firefox and IE are your only choices... use Firefox.

    I do not recommend using the Netscape browser, because of the way it allows the use of either Gecko or the Microsoft HTML control.

  27. The Firefox XPI model needs re-evaluation... by argent · · Score: 3, Insightful

    I would like to first address a lot of the people who are taking this as a chance to really dog Firefox and the Open Source Community as a failure on their part.

    I've been arguing that the Firefox XPI model needs to be re-evaluated from a security standpoint for some time now.

    1. Installing XPIs should not be initiated from a web page. They should be downloaded and manually installed, like any other application or application plug-in. This would allow any attacks that involve using the installer for privilege escalation to be eliminated.

    2. Expanded rights should not be granted to any javascript that has not been explicitly installed.

    3. As a corollary to this, any method that leads to an eval should, when run from a script that's part of chrome, unconditionally revoke those rights. A new method that explicitly evals code with greater rights with a name that makes it clear that it's dangerous can be added if it's actually necessary.