Serious Greasemonkey Security Problems
If you haven't been keeping up on the recent security concerns with Greasemonkey - now's a good time to jump in. I had no idea that the problems where 'that bad' until today. I assumed that it was only possible to do something malicious within a user script, not outside of it (due to bad scoping issues). At least, until, this post caught my eye.
Uninstall Greasemonkey altogether. At this point, I don't trust having it on my computer at all. I would think that whoever is in charge of addons.mozilla.org should immediately remove the Greasemonkey XPI and post a large warning in its place advising people to uninstall it. --Mark
Backtracking through the entire security thread brings up quite a few serious problems. Currently, it's possible to do the following things:
- Read the contents of any global user script
- Read the private values of any user script
- Request/Send information to third-party domains
- Access any file on a user's hard drive, copy it, and upload it to a remote server - all in the background.
Do not fear! - Headway is already being made. The main concern is that it's possible to access all of the above data outside of a user script's scope. Once this is resolved (and the afformentioned hack may just do that) then Greasemonkey will be back on the fast-track.
Tags: bugs, greasemonkey, firefox, extensions, security
3 Comments on 'Serious Greasemonkey Security Problems'
