Important Greasemonkey alert
Important alert for all Greasemonkey users:
Running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. Running a Greasemonkey script with "@include *" (which, BTW, is the default if no parameter is specified) can expose the contents of every file on your local hard drive to every site you visit. And, because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world."
Required actions: uninstall the Greasemonkey extension completely and wait for a patched version which will be due in several days, or update to Greasemonkey 0.3.5 immediately. This version has all functions relevant to the bug blocked.
Also, if you are playing with Joe Gregorio's encrypted data over insecure networks thingy, keep in mind of course to not put private keys in userscripts.
UPDATE: Simon Willison says the bug "illustrates a number of interesting concepts in both web application security and JavaScript", so he helps us Understanding the Greasemonkey vulnerability >
RELATED NEWS
Firefox 1.0.6 and Thunderbird 1.0.6 are out - download now.
IN THE ARCHIVES
2005-04-29 Improving and extending websites with Greasemonkey
2005-06-17 MT-Redland: An RDF Storage Backend for Movable Type
Entry first published 2009-05-18 01:00, last edited 2009-05-19 14:46
Share this entry via e-mail - on Twitter