Serious Greasemonkey Security Problems

July 18th, 2005

If you haven't been keeping up on the recent security concerns with Greasemonkey - now's a good time to jump in. I had no idea that the problems where 'that bad' until today. I assumed that it was only possible to do something malicious within a user script, not outside of it (due to bad scoping issues). At least, until, this post caught my eye.

Uninstall Greasemonkey altogether. At this point, I don't trust having it on my computer at all. I would think that whoever is in charge of addons.mozilla.org should immediately remove the Greasemonkey XPI and post a large warning in its place advising people to uninstall it. --Mark

Backtracking through the entire security thread brings up quite a few serious problems. Currently, it's possible to do the following things:

• Read the contents of any global user script
• Read the private values of any user script
• Request/Send information to third-party domains
• Access any file on a user's hard drive, copy it, and upload it to a remote server - all in the background.

Do not fear! - Headway is already being made. The main concern is that it's possible to access all of the above data outside of a user script's scope. Once this is resolved (and the afformentioned hack may just do that) then Greasemonkey will be back on the fast-track.

Tags: bugs, greasemonkey, firefox, extensions, security

3 Comments on 'Serious Greasemonkey Security Problems'

Wikipedia Animate Results

June 27th, 2005

The results are in! My AniWiki project placed second in the Waxy Automated Wikipedia Contest. The first place entry was really smooth and nicely put together, but I was able to get some scraps based purely on technical development, which is cool.

Although John Resig's AniWiki entry had several innovations, Dan wins because of the elegant Wikipedia integration and the ease of use. Dan's entry was the first to use a slider for navigation, allowing you to scrub across revisions with changes reflected in real-time, and I like the ability to switch between selected arbitrary ranges using the existing Wikipedia buttons or the entire revision history. It looks like a seamless part of Wikipedia. He'll receive $200, one Flickr Pro account, a $20 Threadless gift certificate, and the Socialtext Starter package.

Second place goes to John Resig's innovative AniWiki. Although I didn't like the slideshow navigation as much, I was blown away by his graphical chart of activity over time and the visual diffs written entirely in Javascript. (Dan Phiffer was inspired to add that same feature to his script after seeing John's implementation.) For his excellent work, John will receive $50 and a Flickr Pro account.

Probably the best feature to come out of the contest is the highly-usable Javascript Diff Algorithm that I made - and I'm sure will get some use all around the 'net. On a side note, I really hope these sort of 'lazyweb-free-for-all' contests happen more often, I really enjoyed myself and got some cash for my hard work. Maybe there should be a web site dedicated to managing these mini-contests.... anyone?

Tags: wikipedia, waxy, animate, contests, greasemonkey, javascript, wiki

2 Comments on 'Wikipedia Animate Results'

Delicious Tag Auto-Complete

March 28th, 2005

The big news of the weekend was the release of the Delicious Tag Auto-Complete extension using Greasemonkey.

Friday afternoon, Julia mentioned the fact that an auto-complete utility for delicious would be very handy. So, a couple hours later, I had hacked one together, using Greasemoneky as the delivery device. I publicized it through the delicious mailing list and posted a link to my account, and within 24 hours I had the top spot on delicious popular - which is rather exciting. (I have a screenshot at home, which I will upload later.) I'm really intrigued by how quickly the whole thing propogated. Apparently, it doesn't take much to spread the word around the community of delicious users. I have a couple more projects up my sleeve that I'll probably release here within the week, and we'll have to see how well they fair in comparision.

Tags: auto, del.icio.us, greasemonkey, javascript, tags

Comment on 'Delicious Tag Auto-Complete'

Date Extraction

March 28th, 2005

At the last Social Computing Club meeting an interesting idea came up for discussion. We were trying to figure out what the easiest possible way to schedule an event could be. But in order to do so, we needed to figure out where people got their event notifications from, so I've compiled a mini-list.

• Email - A lot of people plan new events by email. Some of these even do it by attaching a new ical event to the email for the recipients to add to their calendar. Attaching an event is the most efficient way for the recipients to manage the event, not necessarily so for the sender. The proposed solution, by Jon Schull, was to simply forward the email that you received with a subject line of "Tomorrow at 8, Meeting with Fred" (for example)to a specified email box. This will automatically update your calendar with this event and attach the email as data. This is would be very easy.
• Instant Messenger - I, personally, plan a lot of events through AIM. Similar to the email solution, one could simply forward a new event to an AIM bot. An issue with this, however, lies in the fact that you don't have the prior conversation automatically attached to the event (for context).
• Web Sites - Browsing around web sites and spotting a new event (such as 'FooBar Concert, 8pm, July 1, 2005') is the final location, that I can think of, where an event would exist. To test this theory, I wrote a quick GreaseMonkey hack which parses through some selected text, looks for something representing a date, and returns the date in a properly-formatted time (you can check it out here). Note: It doesn't actually do anything yet, but hopefully will soon. It currently only supports phrases like 'tomorrow', 'yesterday', 'evening', and 'morning' - which are much much easier to find then all the possible date formats.

In all, it's an intriguing problem: Constructing some form of an interface through which users can most easily maintain their calendar. At least one feature that I would find to be intriguing would be if someone says to you "Are you available tomorrow evening?" your calendar application would be able to tell you what time to meet would be best. and maybe even what location? Anyway, it's all just a bunch of speculation right now, but the Lab for Social Computing is going to try hacking on it and see if they can take it somewhere. I'll be interested to see what the results look like.

Tags: date, event, greasemonkey, planning, schedule, time

Comment on 'Date Extraction'

Visual Friend Identification

March 14th, 2005

Something that I've been tinkering around with the past couple of days is the concept of providing visual cues to associate a name with a face, so to speak. For example, I find it to be much easier, mentally, to make the connection between someones face and who they are then someone's cryptic username (which, in turn, is associated with someone's name, then associated to a face - a much, much slower process, for me, that results in a lot of dead ends). To combat this, I've been making a lot of changes to my personal data. The most notable of which is: Locating a headshot picture of all of your friends. In theory, I want to quickly and easily associate someone's online persona with their real life person. It's a challenge and I'm not yet sure how well it will go. However, in order to test it, the first step is to find as many friend headshots as possible. Here are a couple resources that I've used, thus far:

• AIM Icons - Users of AOL Instant Messenger can easily associate an icon with their online persona, however most icons are nonsensical and are of little use.
• Live Journal Buddy Icons - On LiveJournal, users have the ability to provide a few icons that they can, in turn, associate with certain comments/blog posts that they make. These can be quickly accessed by visited the URL:

  http://www.livejournal.com/allpics.bml?user=LJ_USERNAME

• Gravatar - This site provides a hosting resource for associating a global image (avatar) with your email address, to be displayed on blog comments that you make. This is an excellent resource and as it comes with an API, very usuable too.
• FOAF - If you use FOAF (or if you don't know what FOAF is, but use LiveJournal) then you may have access to a number of your friend's pictures FOAF provides a field for people to include a URL to their personal image, which can come in terribly handy.
• Image Search - The final resource (unless, of course, you actually have a picture of your friend handy, then you can skip all the above steps) would be a thurough search of the Internet. Searching by name, nickname, username, and email address all help.

Now that you have a nice list of pictures for all of your friends, here is what you can do: Associate that picture with that person everywhere possible. The first thing that I did was to update the buddy icons for all of my AIM buddies. This gave me a highly usable visual buddy list to browse (also pictured above). The second step was to associate the images with all of my frequent email contacts. Thankfully, OSX makes this process terribly easy. I can take an email address/name from Mail.app, right-click, and add it to my address book. I can then edit the address book entry for that user and add their AIM buddy name. Now I've tackled two of my most frequently used forms of communication: Instant Messenger and Email, but that still leaves a large ocean uncharted: The web.

At this point in the game, I decided to go back to my old friend GreaseMonkey. Essentially, I wanted to write a script that would search through a page looking for certain names, nicknames, and usernames and insert an image to be associated with it. And so, that's what I did. Right now it's very rough around the edges and requires a lot of user customization.

• name2face - This script requires a lot of configuration. Please modify the data structure within the program to change which users you would like to match and display for, otherwise you'll just see a few of my friends, currently.

Ideally I'd like this plug-in to pull from some sort of a dynamic XML repository (possibly in FOAF format?) that could be updated easily. The results are very interesting. Browsing social networking sites, Gmail, and other forms of communication have taken on a whole new feel. I really feel that a service like this has a lot of potential and should be explored more fully, which I hope to do soon.

Tags: friends, greasemonkey, network, social, visual

27 Comments on 'Visual Friend Identification'