If you haven’t been keeping up on the recent security concerns with Greasemonkey – now’s a good time to jump in. I had no idea that the problems where ‘that bad’ until today. I assumed that it was only possible to do something malicious within a user script, not outside of it (due to bad scoping issues). At least, until, this post caught my eye.
Uninstall Greasemonkey altogether. At this point, I don’t trust having it on my computer at all. I would think that whoever is in charge of addons.mozilla.org should immediately remove the Greasemonkey XPI and post a large warning in its place advising people to uninstall it. —Mark
Backtracking through the entire security thread brings up quite a few serious problems. Currently, it’s possible to do the following things:
- Read the contents of any global user script
- Read the private values of any user script
- Request/Send information to third-party domains
- Access any file on a user’s hard drive, copy it, and upload it to a remote server – all in the background.
Do not fear! – Headway is already being made. The main concern is that it’s possible to access all of the above data outside of a user script’s scope. Once this is resolved (and the afformentioned hack may just do that) then Greasemonkey will be back on the fast-track.
I'll blog your mind reloaded ! (July 19, 2005 at 3:59 am)
Serious Greasemonkey Security Problems
All Greasemonkey users are called to uninstall this plugin until the bug will be fixed. Backtracking through the entire security thread at mozdev brings up quite a few se
Jason (August 5, 2005 at 10:23 am)
Greasemonkey 0.5 beta aims to solve all those problems and bring the features that were planned for 0.4. You can find it at http://greasemonkey.mozdev.org/
Jon (August 12, 2007 at 3:58 pm)
What is the differents between Greasemonkey and FUEL in design goal? I have googled it a bit but I didn’t find anything. To me it seems the same – “making it easy to write plug-ins for Firefox.”
Correct me if I’m wrong.
Cheers!