[Greasemonkey] greasemonkey for secure data over insecure networks / sites

Mark Pilgrim pilgrim at gmail.com
Mon Jul 18 16:42:15 EDT 2005


On 7/18/05, Mark Pilgrim <pilgrim at gmail.com> wrote:
> On 7/18/05, Godmar Back <godmar at gmail.com> wrote:
> > Could a malicious web site serve JavaScript that would create
> > connections to domains other than the domain from which it came if the
> > user has a GM script that is triggered for all pages, since the
> > GM_xmlhttprequest function object (or whatever it was called) will
> > then exist in the environment of the page?
> 
> Yes.  http://diveintogreasemonkey.org/experiments/xmlhttprequest-leak.html

This particular exploit is much, much worse than I thought. 
GM_xmlhttpRequest can successfully "GET" any world-readable file on
your local computer.

http://diveintogreasemonkey.org/experiments/localfile-leak.html
returns the contents of c:\boot.ini, which exists on most modern
Windows systems.

But wait, it gets worse.  An attacker doesn't even need to know the
exact filename, since "GET"ting a URL like "file:///c:/" will return a
parseable directory listing.  (And Mac users don't get to gloat
either; you're just as vulnerable, starting with a different root
URL.)

In other words, running a Greasemonkey script on a site can expose the
contents of every file on your local hard drive to that site.  Running
a Greasemonkey script with "@include *" (which, BTW, is the default if
no parameter is specified) can expose the contents of every file on
your local hard drive to every site you visit.  And, because
GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly
send this information anywhere in the world.

-- 
Cheers,
-Mark


More information about the Greasemonkey mailing list