Serious Security Flaw in Greasemonkey

Filed in: Mozilla, Security — July 26th, 2005

A serious security flaw has been found in the popular Greasemonkey extension for Mozilla Firefox, allowing websites the potential to access any file on a user’s computer.

First released last year, Greasemonkey allows users to install small pieces of code (known as user scripts) that change the way various websites behave.

If a user running a vulnerable version of Greasemonkey visits a website that triggers at least one of their user scripts then that website can read any of the user’s files or list the contents of any of the user’s directories/folders.

The problem can be resolved by either installing Greasemonkey 0.3.5, which fixes the flaw but has reduced functionality, or uninstalling Greasemonkey altogether. A fully-functional version of Greasemonkey that fixes the security issues is being developed.

[ Read ]

Thought:
I am not Greasemonkey user, I seldom trust software that can change the look of existing websites.

Like this post? Please share:

Follow @liewcf on Twitter; Join Facebook page; Subscribe to free newsletter for updates like this article..

  • http://jerryc.blogspot.com/ Jerry

    Fortunately GM 0.3.5 that fixes this has been released not too long ago (unfortunately for me, I haven’t found a version that works with Deer Park A2. Egad! Has anyone got better luck? =/ ).

    It’s just an extension that applies a Javascript-based template to your current page – bad scripts are usually weeded out as soon as they hit public, so there’s no real need to be paranoid.

  • http://jerryc.blogspot.com Jerry

    Fortunately GM 0.3.5 that fixes this has been released not too long ago (unfortunately for me, I haven’t found a version that works with Deer Park A2. Egad! Has anyone got better luck? =/ ).

    It’s just an extension that applies a Javascript-based template to your current page – bad scripts are usually weeded out as soon as they hit public, so there’s no real need to be paranoid.

t