Regarding Greasemonkey Insecurities

Anil Dash Saw the Greasemonkey Mailing List, I Guess

The security flaw (privilege escalation through use of the GM_* functions, leading to read-access to local files available to the logged-in user) does exist in the XPI as it was two days ago. Aaron Boodman has released a “neutered” XPI that removes most of the GM_* functions; it obviously won’t work with scripts that used the functions, but plainer scripts should work fine.

There has been other work going on recently with making Firefox extensions more secure, by more strictly enforcing chrome-content barriers, through the xpcnativewrappers=yes option, and (with the 1.1+ evalInSandbox function) control over the context in which their code can run, and thus the security privileges it has.

Unfortunately, GM_xmlhttpRequest in particular was just a security hole waiting to happen. Think about it: it’s raison d’etre is to enable cross-site scripting for user scripts — it’s there to give content-level code the ability to make HTTP requests for random web pages, and, because of the way privileges are currently a sort of all-or-nothing deal, “random webpages” includes “the files on your computer”.

All said, ’twill be interesting to see how this plays out.

I do wonder, though: Just how much time is Mark Pilgrim spending on Greasemonkey?

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s