Serious Greasemonkey Security Problems

If you haven’t been keeping up on the recent security concerns with Greasemonkey – now’s a good time to jump in. I had no idea that the problems where ‘that bad’ until today. I assumed that it was only possible to do something malicious within a user script, not outside of it (due to bad scoping issues). At least, until, this post caught my eye.

Uninstall Greasemonkey altogether. At this point, I don’t trust having it on my computer at all. I would think that whoever is in charge of addons.mozilla.org should immediately remove the Greasemonkey XPI and post a large warning in its place advising people to uninstall it. —Mark

Backtracking through the entire security thread brings up quite a few serious problems. Currently, it’s possible to do the following things:

Do not fear! – Headway is already being made. The main concern is that it’s possible to access all of the above data outside of a user script’s scope. Once this is resolved (and the afformentioned hack may just do that) then Greasemonkey will be back on the fast-track.

Posted: July 18th, 2005


Subscribe for email updates

3 Comments (Show Comments)



Comments are closed.
Comments are automatically turned off two weeks after the original post. If you have a question concerning the content of this post, please feel free to contact me.


Secrets of the JavaScript Ninja

Secrets of the JS Ninja

Secret techniques of top JavaScript programmers. Published by Manning.

John Resig Twitter Updates

@jeresig

Infrequent, short, updates and links.