Important alert for all Greasemonkey users:
Running a Greasemonkey script on a site can expose the
contents of every file on your local hard drive to that site. Running
a Greasemonkey script with "@include *" (which, BTW, is the default if
no parameter is specified) can expose the contents of every file on
your local hard drive to every site you visit. And, because
GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly
send this information anywhere in the world."
Required actions: uninstall the Greasemonkey extension completely and wait for a patched version which will be due in several days, or update to Greasemonkey 0.3.5 immediately. This version has all functions relevant to the bug blocked.
Also, if you are playing with Joe Gregorio's encrypted data over insecure networks thingy, keep in mind of course to not put private keys in userscripts.
UPDATE: Simon Willison says the bug "illustrates a number of interesting concepts in both web application security and JavaScript", so he helps us Understanding the Greasemonkey vulnerability >
RELATED NEWS
Firefox 1.0.6 and Thunderbird 1.0.6 are out - download now.
IN THE ARCHIVES
2005-04-29 Improving and extending websites with Greasemonkey
2005-06-17 MT-Redland: An RDF Storage Backend for Movable Type
Comments are closed at the moment. I will post a blog entry as soon as they are available again.
