"Serious security vulnerability" in Greasemonkey

By | July 19, 2005 | Open source

0

The maker of Greasemonkey, a popular extension for power users of the Firefox browser, has posted a warning of a serious security vulnerability in the current release. This vulnerability can potentially give access to any and all files stored on a system running the Greasemonkey extension in Firefox.

The Greasemonkey extension provides the facility to install and run scripts either associated with particular sites, or with all sites on the Internet. These scripts use standard JavaScript features and syntax, but the extension also provides a set of extended functions that are available to user scripts. These functions are the source of the security hole.

Once a user script is associated with a site, those extended functions become available not just to the user script, but also to any script code within the site itself. A malicious site could wait until a user came along with a Greasemonkey script enabled for that site and then use the extended functions to access private files and data stored on the user’s system. Since many Greasemonkey scripts are designed to enhance all sites on the Web (and are therefore enabled for all sites), this is a very serious problem.

The extended function that is the biggest worry is the GM_xmlhttpRequest function, which enables user scripts (and due to this security hole, a malicious site) to make GET and POST requests for any URL, even outside the domain of the current site. By using it to request a file:// URL, a malicious site can read the contents of any file on the system, or even obtain a local directory listing. The script can then make a POST request to send that information to any URL.

While the developer searches for a good solution to these security issues, he has made available a new version of the extension, Greasemonkey 0.3.5, which removes support for all of the extended functions, including GM_xmlhttpRequest. Any script that relies on this feature will fail to work with this “neutered” version, but simple scripts that just tweak existing site layout/functionality should work fine.

Get Started with
Ruby on Rails

Github, Twitter and Hulu. All huge. All successful. All Rails.

Learn the web development framework of the moment with our newest book and course.

Learn Rails

Kevin Yank

Kevin began developing for the Web in 1995 and is a highly respected technical author. He wrote Build your own Database Driven Website using PHP and MySQL, a practical step-by-step guide published by SitePoint, and he's co-author of the SitePoint Tech Times, a bi-weekly newsletter for technically-minded web developers. Kev believes that any good webmaster should have seen at least one episode of MacGyver.

More Posts - Website

Comments on this entry are closed.