Greasemonkey gets into trouble

A serious vulnerability was found in Greasemonkey last week by Mark Pilgrim, author of the upcoming book "Greasemonkey Hacks," and Dive Into Greasemonkey. Pilgrim discovered that a combination of two flaws in Greasemonkey could allow user data to be transmitted to virtually any site.

We spoke to Pilgrim about the vulnerabilities, and the security of Greasemonkey in general. According to Pilgrim, Greasemonkey's first flaw would allow a web page access to the APIs to call remote pages. A page with an exploit for this vulnerability would allow the exploit to call code from other sites without the user being aware of it. This could include posting data to another site.

The second exploit allowed pages to access file URLs, which could allow a remote site to browse the content of a user's hard drive. In conjunction with the first vulnerability, "remote pages could access any file on your system... [they could] recurse through the entire hard drive and post it anywhere in the world, really. And that's bad."

These vulnerabilities are fixed in the 3.5 version of Greasemonkey, though it is a "neutered" version that lacks the Greasemonkey APIs. Pilgrim said that a beta had been released that should retain functionality and clear up the security holes that he had found.

Even though the vulnerability has been closed in the latest versions of Greasemonkey, Pilgrim said that users could still be vulnerable to malicious user scripts. "Greasemonkey is very powerful, and people need to be aware what they're installing". Indeed, there does seem to be a level of concern that the problems with Greasemonkey are in its features, not its vulnerabilities. The concept of allowing users to run scripts in the browser developed by third parties, who may not have the users' best interests in mind, opens up some scary possibilities.

Since Firefox and Greasemonkey are becoming increasingly popular with less technical users, we asked Pilgrim how those users could verify that the scripts they install were safe, and if there was any way for the Greasemonkey team to protect those users.

We also asked Chris Hofmann, director of engineering for Mozilla, about the Greasemonkey vulnerability and whether the Mozilla developers could do anything to make extensions safer for users. Hofmann also said that much of the responsibility lies with the user to verify the source and function of extensions. "Users should take caution for any extensions they download, and to authenticate the source of the extension." He also explained that the default operation of the browser was to warn users before installing any software, to prevent any extensions or scripts from being installed without the user's knowledge.

It's worth noting that Firefox is not unique in allowing extensions or add-ons like Greasemonkey. Pilgrim noted that Turnabout for Internet Explorer performed the same function for IE, by allowing users to run scripts to change the function of websites. Just as with Firefox, Turnabout users could easily run malicious scripts if they're not careful about where they acquire them.

There's really nothing unique about the Greasemonkey situation, though. Spyware and adware have propagated in large part because users have been willing to download and install software without questioning the source of the software or any possible side-effects. The best that the Greasemonkey team can do is ensure that their software is not subject to vulnerabilities like the two that Pilgrim discovered. Beyond that, the responsibility will remain with the user to verify that extensions, scripts and other software is suitable for use.