[Greasemonkey] greasemonkey for secure data over insecure
networks / sites
cfeldmann at gmail.com
Mon Jul 18 13:43:25 EDT 2005
On 7/18/05, Mark Pilgrim <pilgrim at gmail.com> wrote:
> On 7/18/05, Jeremy Dunck <jdunck at gmail.com> wrote:
> > So, uh, the script leaking investigation isn't entirely for the glory
> > of knowing. It also sucks to leak private keys.
> Last week I showed that the complete text of every single one of your
> locally-installed user scripts could be leaked to remote sites (
> http://diveintogreasemonkey.org/experiments/script-leak.html ), and
> the reaction from the GM developers was (paraphrasing) "Yeah, we know
> about that, but we haven't fixed it yet because it's hard."
Mark, a question of clarification:
When I looked at that exploit last week it seemed the server would have to
be @included in any script in order to read it. The GM_setValue exploit also
@includes its own demonstration page. I'm not trying to discount the
severity here, only asking if my understanding of the nature is correct.
Namely, must a script open itself to the server in the @include line for
this exploit to be viable?
I would now like to point out that every single piece of data stored
> locally with GM_setValue can be leaked to remote sites. Working
> exploit here:
> I feel I've accumulated a fair amount of karma in this fledgling
> community, and I'm going to burn some of it now by suggesting that
> this is a BIG FUCKING DEAL and that I am TRULY SHOCKED that it is not
> being dealt with in GM 0.4.
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Greasemonkey