[Greasemonkey] greasemonkey for secure data over insecure networks / sites

Godmar Back godmar at gmail.com
Tue Jul 19 00:27:58 EDT 2005

On a related note, the fact that xmlhttprequest doesn't exclude local
file:// URL means that not only would placing this ability into a page
allow a malicious attacker to read local files, but it also allows the
GM script itself to read all local files.  This is still true for the
sandbox approach Aaron is currently investigating, if the sandbox
include chrome-privileged access to xmlhttprequest.

How many people want to grant GM script writers access to their local
harddrive when they install a GM script?

My point is that scripts should be required to declare what privileges
they need, and this must be enforced - either using Mozilla's security
model or by implementing your own.

 - Godmar

On 7/18/05, Mark Pilgrim <pilgrim at gmail.com> wrote:
> On 7/18/05, Mark Pilgrim <pilgrim at gmail.com> wrote:
> > On 7/18/05, Godmar Back <godmar at gmail.com> wrote:
> > > Could a malicious web site serve JavaScript that would create
> > > connections to domains other than the domain from which it came if the
> > > user has a GM script that is triggered for all pages, since the
> > > GM_xmlhttprequest function object (or whatever it was called) will
> > > then exist in the environment of the page?
> >
> > Yes.  http://diveintogreasemonkey.org/experiments/xmlhttprequest-leak.html
> This particular exploit is much, much worse than I thought.
> GM_xmlhttpRequest can successfully "GET" any world-readable file on
> your local computer.
> http://diveintogreasemonkey.org/experiments/localfile-leak.html
> returns the contents of c:\boot.ini, which exists on most modern
> Windows systems.
> But wait, it gets worse.  An attacker doesn't even need to know the
> exact filename, since "GET"ting a URL like "file:///c:/" will return a
> parseable directory listing.  (And Mac users don't get to gloat
> either; you're just as vulnerable, starting with a different root
> URL.)
> In other words, running a Greasemonkey script on a site can expose the
> contents of every file on your local hard drive to that site.  Running
> a Greasemonkey script with "@include *" (which, BTW, is the default if
> no parameter is specified) can expose the contents of every file on
> your local hard drive to every site you visit.  And, because
> GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly
> send this information anywhere in the world.
> --
> Cheers,
> -Mark
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey

More information about the Greasemonkey mailing list