[Greasemonkey] greasemonkey for secure data over insecure
networks / sites
pilgrim at gmail.com
Mon Jul 18 16:42:15 EDT 2005
On 7/18/05, Mark Pilgrim <pilgrim at gmail.com> wrote:
> On 7/18/05, Godmar Back <godmar at gmail.com> wrote:
> > connections to domains other than the domain from which it came if the
> > user has a GM script that is triggered for all pages, since the
> > GM_xmlhttprequest function object (or whatever it was called) will
> > then exist in the environment of the page?
> Yes. http://diveintogreasemonkey.org/experiments/xmlhttprequest-leak.html
This particular exploit is much, much worse than I thought.
GM_xmlhttpRequest can successfully "GET" any world-readable file on
your local computer.
returns the contents of c:\boot.ini, which exists on most modern
But wait, it gets worse. An attacker doesn't even need to know the
exact filename, since "GET"ting a URL like "file:///c:/" will return a
parseable directory listing. (And Mac users don't get to gloat
either; you're just as vulnerable, starting with a different root
In other words, running a Greasemonkey script on a site can expose the
contents of every file on your local hard drive to that site. Running
a Greasemonkey script with "@include *" (which, BTW, is the default if
no parameter is specified) can expose the contents of every file on
your local hard drive to every site you visit. And, because
GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly
send this information anywhere in the world.
More information about the Greasemonkey