[Greasemonkey] greasemonkey for secure data over insecure networks / sites

Mark Pilgrim pilgrim at gmail.com
Mon Jul 18 14:59:40 EDT 2005


On 7/18/05, John <gm at plsek.id.au> wrote:
> Does this "exploit" rely on the knowledge of the existence of
> "window.GM_apis"?
> 
> coz, your exploits don't work on my version of greasemonkey ... I
> replaced "GM_apis" with a random string (newly generated for every
> inject) ... or is there a way around that?

This exploit affects Greasemonkey.  You are not running Greasemonkey;
you are running a fork of Greasemonkey.  Your fork is immune to this
particular exploit, but theoretically still vulnerable, since the page
can enumerate the properties of the window object[1] before GM runs,
then trap the DOMNodeInserted event and enumerate the properties of
the window object again, and figure out the name of your
randomly-renamed GM_apis property.

[1] http://www.joegrossberg.com/archives/000646.html

-- 
Cheers,
-Mark


More information about the Greasemonkey mailing list