Serious Security Issue in Greasemonkey

Posted on Tuesday, July 19, 2005

The invaluable Mark Pilgrim (author of "Dive Into Greasemonkey", among other things) has uncovered a major security flaw in all existing versions of the Greasemonkey extension for Firefox:

Running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. Running a Greasemonkey script with "@include *" (which, BTW, is the default if no parameter is specified) can expose the contents of every file on your local hard drive to every site you visit. And, because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world.

Wow.

After being told by the GM developers that the issue wasn't going to be fixed in the next version (0.4), Mark put up some proof-of-concept exploits so you can see the hole for yourself:

• script-leak.html can read and display all the GM scripts you are currently running
• localfile-leak.html reads the contents of your local boot.ini file -- a standard Windows system file -- and displays them on screen

After Mark went public with the exploits, the GM developers seem to have seen the light; they now say that GM 0.4 will address this issue, and they have issued an interim version, 0.3.5, that disables the API functions that make the exploit possible.

All Greasemonkey users should install 0.3.5 immediately. It will break all user scripts that rely on the APIs in question. You should not let this keep you from updating; living without a few scripts until 0.4 comes out is a lot less painful than letting remote sites root through your hard drive. If you're not willing or able to update to 0.3.5, you should disable Greasemonkey altogether.