Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Greasemonkey Extension Security Problem

Posted by CmdrTaco on from the uninstall-it-now-man dept.

Mr2001 writes "A recent thread on the Greasemonkey mailing list suggests that the popular Firefox extension is fatally insecure. It seems rogue pages can read any file from your disk and send it to any site, using an XmlHttpRequest. Time to uninstall GM?"

9 of 443 comments (clear)

  1. More Ammo by GuitarNeophyte · · Score: 5, Insightful

    Just more ammo for the mega-powers to say, "See, when it becomes mainstream, it becomes more insecure. Come back to windows."

    Marvelous.

    Luke
    ----
    Be smart. Teach others. ChristianNerds.com

    1. Re:More Ammo by FidelCatsro · · Score: 5, Funny

      They can say "Come back to windows , no need for third party extensions for these types of flaws .They are built into MSIE/windows , It just works"

      --
      The only things certain in war are Propaganda and Death. You can never be sure which is which though
  2. Why Uninstall? by SenFo · · Score: 5, Informative

    "Time to uninstall GM?"

    Why not just do what the article says and "Install Greasemonkey 0.3.5"

    --
    My lame blog.
  3. More details on the exploit... by octaene · · Score: 5, Interesting

    Here are some more details from the posting thread, which explains why the exploit is so bad...

    This particular exploit is much, much worse than I thought. GM_xmlhttpRequest can successfully "GET" any world-readable file on your local computer.

    http://diveintogreasemonkey.org/experiments/localf ile-leak.html returns the contents of c:\boot.ini, which exists on most modern Windows systems.

    But wait, it gets worse. An attacker doesn't even need to know the exact filename, since "GET"ting a URL like "file:///c:/" will return a parseable directory listing. (And Mac users don't get to gloat either; you're just as vulnerable, starting with a different root URL.)

    In other words, running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. Running a Greasemonkey script with "@include *" (which, BTW, is the default if no parameter is specified) can expose the contents of every file on your local hard drive to every site you visit. And, because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world.

    The above information posted originally by Mark Pilgrim

  4. Possible solution - NoScript extension is great ! by CdBee · · Score: 5, Interesting

    I use Greasemonkey in conjunction with NoScript - an extension which prevents any site from using Javascript unless it is added to the whitelist maintained in the extension.

    To run a Greasemonkey script on a page you have to allow that domain or subdomain in NoScript. This prevents Greasemonkey being used on a rogue page as I wouldn't use a script on an uber-dodgy site anyway!.

    --
    I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
  5. Re:gauntlet by wuie · · Score: 5, Funny

    Yellow wizard needs patch badly.

  6. A HELPFUL TRANSACTION. by Anonymous Coward · · Score: 5, Insightful

    (MAN) Sirs, I am in dire need of a web-browser! The one thus furnished to me by Mr. Gates of Redmond is rickety and unsafe, and prone to inviting the most deadly of spy-ware into my parlor!
    (MOZILLA SOCIETY REPRESENTATIVE) Why, good sir, we shall help you forthwith! We have exactly the web-browser that you need! It has been engineered to the most careful of specifications, and its security is without compare!
    (MAN) Why then I shall have one immediately!

    (LATER)

    (RANDOM STREET URCHIN) Sir, I see that you have this day procured a web-browser, which I see under your arm. May I convince you to also take this complex contraption of my own invention, which will attach to your web-browser as a "plug in"?
    (MAN) What, what? An inscrutable device of unclear ultimate function furnished by a stranger of whom I know nothing? Yes, yes, why not. Now run along, lad.

    (LATER THAT NIGHT, THE CONTRAPTION PROVIDED BY THE STREET URCHIN EXPLODES, SETTING THE WEB BROWSER AFLAME.)

    (MAN) What's this? Oh, mama! The web-browser I have this very day recieved from the Mozilla Society has immolated, consuming my drapes and lighting my house aflame. They told me it was secure! Lies! Betrayal! Those Mozilla Society rapscallions! I'll give them what for!

  7. Re:gauntlet by TheScottishGuy · · Score: 5, Funny

    Blue browser is about to die.

  8. Re:What should be done. by telecsan · · Score: 5, Insightful

    Even after you've installed an extension, you shouldn't be forced (by Firefox) to accept any and all behaviour it tries to produce. I should be able to install a toolbar and prevent it from calling home, for example. You should be able to set the permissions or at least the 'run-as' of the toolbar separately from the permissions of Firefox. Surely the security-conscious /. community should realize that.