“Serious security vulnerability” in Greasemonkey

Kevin Yank
Kevin Yank

The maker of Greasemonkey, a popular extension for power users of the Firefox browser, has posted a warning of a serious security vulnerability in the current release. This vulnerability can potentially give access to any and all files stored on a system running the Greasemonkey extension in Firefox.

The Greasemonkey extension provides the facility to install and run scripts either associated with particular sites, or with all sites on the Internet. These scripts use standard JavaScript features and syntax, but the extension also provides a set of extended functions that are available to user scripts. These functions are the source of the security hole.

Once a user script is associated with a site, those extended functions become available not just to the user script, but also to any script code within the site itself. A malicious site could wait until a user came along with a Greasemonkey script enabled for that site and then use the extended functions to access private files and data stored on the user’s system. Since many Greasemonkey scripts are designed to enhance all sites on the Web (and are therefore enabled for all sites), this is a very serious problem.

The extended function that is the biggest worry is the GM_xmlhttpRequest function, which enables user scripts (and due to this security hole, a malicious site) to make GET and POST requests for any URL, even outside the domain of the current site. By using it to request a file:// URL, a malicious site can read the contents of any file on the system, or even obtain a local directory listing. The script can then make a POST request to send that information to any URL.

While the developer searches for a good solution to these security issues, he has made available a new version of the extension, Greasemonkey 0.3.5, which removes support for all of the extended functions, including GM_xmlhttpRequest. Any script that relies on this feature will fail to work with this “neutered” version, but simple scripts that just tweak existing site layout/functionality should work fine.