Insecure Monkeys are Bad

Allegedly, the most excellent Greasemonkey extension is insecure, allowing folks to read files from your local hard drive. I tried Mark’s leakage demo, only to find, well, nothing. I didn’t get diddly. This may mean that it only works with particular versions (I’m using 0.3.3), it may mean that the code is no longer “active”, so that it doesn’t work, or it might mean that in some cases it’s not actually a problem. I don’t know the answer – but you should be aware, nonetheless.

After thinking about this momentarily, I came to the realization of why it wasn’t happening for me. I have only two scripts installed at this point – Gmap Extras and UPS Track. Both of these scripts are set to work for only particular sites. Because of this, when I try Mark’s page, Greasemonkey doesn’t run – it doesn’t think it needs to, since that’s not one of the sites listed in the configuration. Adding it, or worse, adding “*”, allows it to work just fine.

While I can’t say that this makes Greasemonkey secure, it does make me feel a bit better. Of course, the sites that are listed may not be malicious now, they could become so with the current owners, or they could be taken over by someone who is. Still, it makes me feel a bit better that I’m open only to two sites – not to every site on the planet. And some of the more useful scripts, I’m sure, are open to every site you visit. It would appear that those are indeed dangerous.

Finally, it may be that I am vulnerable and it is simply that this site doesn’t exploit that sort of vulerability. So if you’re concerned about such vulnerabilities, you may indeed want to make the monkey frown, or perhaps banish him altogether. But it would appear that being completely vulnerable to every site in the world could be a bit of an exaggeration.


Posted

in

Comments

2 responses to “Insecure Monkeys are Bad”

  1. Chad Everett Avatar

    Afraid not – my system is XP. 🙂

    It was, as mentioned, because I didn’t have the default “all sites” value (*) in the scripts – only two particular pages were listed, and neither were trying to run the demo.

  2. nandhp Avatar
    nandhp

    That demo only works on Windows NT/2000/XP, would that explain it? (My system doesn’t have a c: drive, much less c:boot.ini).