Disable Greasemonkey - security hole alert

19 July, 2005

Greasemonkey has a massive security hole in it which, depending on the scripts you have installed, can allow any website to read the contents of your hard drive (this is the case as far as I understand it, please leave a comment if I have the details wrong).

This is very major. In addition to being a massive explot, it also means that Mark Pilgrim’s O’Reilly book-in-the-making Greasemonkey Hacks is DEAD until we fix this, so here’s looking forward to a fixed version, although from what I gather it will require a large amount of work to provide a fixed yet fully-functioning GM. Good luck guys!

via Groovy Mother

See other posts tagged with general and all posts made in July 2005.

Comments

leff

19 July, 2005 at 14:30

Wow. That’s a big deal.

5 sec. analysis: The site you’re visiting has to take action, and you have to be using greasemonkey on that page. If the site is trustworthy then it looks like you’re ok.

This means you shouldn’t run scripts for anything like “http://*” but “http://www.google.com/*” is probably ok.

Looking through my installed scripts I’m thinking that “http://*.google.*/*” is bad. That could match “http://foo.google.malicious.com/stealyourfiles.html”

To be 100% safe, turn off greasemonkey altogether.

Pip

19 July, 2005 at 15:02

That’s certainly my take on it, and that’s what I’ve done.