[Greasemonkey] greasemonkey for secure data over insecure networks / sites

Godmar Back godmar at gmail.com
Mon Jul 18 13:36:14 EDT 2005


Would the same concern apply to GM's XMLHttpRequest object?

Could a malicious web site serve JavaScript that would create
connections to domains other than the domain from which it came if the
user has a GM script that is triggered for all pages, since the
GM_xmlhttprequest function object (or whatever it was called) will
then exist in the environment of the page?

 - Godmar

On 7/18/05, Mark Pilgrim <pilgrim at gmail.com> wrote:
> On 7/18/05, Jeremy Dunck <jdunck at gmail.com> wrote:
> > So, uh, the script leaking investigation isn't entirely for the glory
> > of knowing.  It also sucks to leak private keys.
> 
> Last week I showed that the complete text of every single one of your
> locally-installed user scripts could be leaked to remote sites (
> http://diveintogreasemonkey.org/experiments/script-leak.html ), and
> the reaction from the GM developers was (paraphrasing) "Yeah, we know
> about that, but we haven't fixed it yet because it's hard."
> 
> I would now like to point out that every single piece of data stored
> locally with GM_setValue can be leaked to remote sites.  Working
> exploit here: http://diveintogreasemonkey.org/experiments/function-leak.html
> 
> I feel I've accumulated a fair amount of karma in this fledgling
> community, and I'm going to burn some of it now by suggesting that
> this is a BIG FUCKING DEAL and that I am TRULY SHOCKED that it is not
> being dealt with in GM 0.4.
> 
> --
> Cheers,
> -Mark
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
>


More information about the Greasemonkey mailing list