[Greasemonkey] greasemonkey for secure data over insecure networks / sites

chris feldmann cfeldmann at gmail.com
Mon Jul 18 13:43:25 EDT 2005


On 7/18/05, Mark Pilgrim <pilgrim at gmail.com> wrote:
> 
> On 7/18/05, Jeremy Dunck <jdunck at gmail.com> wrote:
> > So, uh, the script leaking investigation isn't entirely for the glory
> > of knowing. It also sucks to leak private keys.
> 
> Last week I showed that the complete text of every single one of your
> locally-installed user scripts could be leaked to remote sites (
> http://diveintogreasemonkey.org/experiments/script-leak.html ), and
> the reaction from the GM developers was (paraphrasing) "Yeah, we know
> about that, but we haven't fixed it yet because it's hard."


Mark, a question of clarification:
When I looked at that exploit last week it seemed the server would have to 
be @included in any script in order to read it. The GM_setValue exploit also 
@includes its own demonstration page. I'm not trying to discount the 
severity here, only asking if my understanding of the nature is correct. 
Namely, must a script open itself to the server in the @include line for 
this exploit to be viable?

chris

I would now like to point out that every single piece of data stored
> locally with GM_setValue can be leaked to remote sites. Working
> exploit here: 
> http://diveintogreasemonkey.org/experiments/function-leak.html
> 
> I feel I've accumulated a fair amount of karma in this fledgling
> community, and I'm going to burn some of it now by suggesting that
> this is a BIG FUCKING DEAL and that I am TRULY SHOCKED that it is not
> being dealt with in GM 0.4.
> 
> --
> Cheers,
> -Mark
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mozdev.org/pipermail/greasemonkey/attachments/20050718/a08e5a3b/attachment.htm


More information about the Greasemonkey mailing list