Disable Greasemonkey – security hole alert

Greasemonkey has a massive security hole in it which, depending on the scripts you have installed, can allow any website to read the contents of your hard drive (this is the case as far as I understand it, please leave a comment if I have the details wrong).

This is very major. In addition to being a massive explot, it also means that Mark Pilgrim’s O’Reilly book-in-the-making Greasemonkey Hacks is DEAD until we fix this, so here’s looking forward to a fixed version, although from what I gather it will require a large amount of work to provide a fixed yet fully-functioning GM. Good luck guys!

via Groovy Mother

Published by

2 thoughts on “Disable Greasemonkey – security hole alert”

  1. Wow. That’s a big deal.

    5 sec. analysis: The site you’re visiting has to take action, and you have to be using greasemonkey on that page. If the site is trustworthy then it looks like you’re ok.

    This means you shouldn’t run scripts for anything like “http://*” but “http://www.google.com/*” is probably ok.

    Looking through my installed scripts I’m thinking that “http://*.google.*/*” is bad. That could match “http://foo.google.malicious.com/stealyourfiles.html”

    To be 100% safe, turn off greasemonkey altogether.

Comments are closed.