The ability to add extensions to Firefox has proven to be a popular
feature. One of the most popular extensions for Firefox, inspiring
countless user scripts, is the
allows users change the behavior of web sites.
A serious vulnerability was found in Greasemonkey last
week by Mark Pilgrim, author of the upcoming book "Greasemonkey Hacks,"
and Dive Into
Greasemonkey. Pilgrim discovered that a combination of two flaws in
Greasemonkey could allow user data to be transmitted to virtually any
We spoke to Pilgrim about the vulnerabilities, and the security of
Greasemonkey in general. According to Pilgrim, Greasemonkey's first flaw
would allow a web page access to the APIs to call remote pages. A page with
an exploit for this vulnerability would allow the exploit to call code from
other sites without the user being aware of it. This could include posting
data to another site.
The second exploit allowed pages to access file URLs, which could allow a
remote site to browse the content of a user's hard drive. In conjunction
with the first vulnerability, "remote pages could access any file on
your system... [they could] recurse through the entire hard drive and post
it anywhere in the world, really. And that's bad."
These vulnerabilities are fixed in the 3.5 version of Greasemonkey, though
is a "neutered" version that lacks the Greasemonkey
APIs. Pilgrim said that a beta had
been released that should retain functionality and clear up the
security holes that he had found.
The new version disables file URLs altogether for that API function, so
even user scripts are not allowed to do that anymore, and second of all,
closes the hole that allows remote page you're browsing to trap the API
call. The pages you browse now no longer have access to any of the
Greasemonkey internals. User scripts can still use it... but the page
you're browsing can't steal access to those pages.
Even though the vulnerability has been closed in the latest versions of
Greasemonkey, Pilgrim said that users could still be vulnerable to
malicious user scripts. "Greasemonkey is very powerful, and people
need to be aware what they're installing." Indeed, there does seem
to be a level of concern that the problems with Greasemonkey are in its
features, not its vulnerabilities. The concept of allowing users to run
scripts in the browser developed by third parties, who may not have the
users' best interests in mind, opens up some scary possibilities.
Since Firefox and Greasemonkey are becoming increasingly popular with less
technical users, we asked Pilgrim how those users could verify that the
scripts they install were safe, and if there was any way for the
Greasemonkey team to protect those users.
Basically, there's no technical solution to that, Greasemonkey allows you
so much power, that you can't stop people from writing malicious
scripts...without making Greasemonkey useless.
We also asked Chris Hofmann, director of engineering for Mozilla, about the
Greasemonkey vulnerability and whether the Mozilla developers could do
anything to make extensions safer for users. Hofmann also said that much of
the responsibility lies with the user to verify the source and function of
extensions. "Users should take caution for any extensions they
download, and to authenticate the source of the extension." He also
explained that the default operation of the browser was to warn users
before installing any software, to prevent any extensions or scripts from
being installed without the user's knowledge.
It's worth noting that Firefox is not unique in allowing extensions or
add-ons like Greasemonkey. Pilgrim noted that Turnabout for Internet
Explorer performed the same function for IE, by allowing users to run
scripts to change the function of websites. Just as with Firefox, Turnabout
users could easily run malicious scripts if they're not careful about where
they acquire them.
There's really nothing unique about the Greasemonkey situation,
though. Spyware and adware have propagated in large part because users have
been willing to download and install software without questioning the
source of the software or any possible side-effects.
The best that the Greasemonkey team can do is ensure that their software is
not subject to vulnerabilities like the two that Pilgrim discovered. Beyond
that, the responsibility will remain with the user to verify that
extensions, scripts and other software is suitable for use.
to post comments)