Mark Pilgrim (18 July, 13:25:51 EDT):
Last week I showed that the complete text of every single one of your locally-installed user scripts could be leaked to remote sites (http://diveintogreasemonkey.org/experiments/script-leak.html ), and the reaction from the GM developers was (paraphrasing) "Yeah, we know about that, but we haven't fixed it yet because it's hard."
I would now like to point out that every single piece of data stored locally with GM_setValue can be leaked to remote sites. Working exploit here: http://diveintogreasemonkey.org/experiments/function-leak.html
I feel I've accumulated a fair amount of karma in this fledgling community, and I'm going to burn some of it now by suggesting that this is a BIG ****ING DEAL and that I am TRULY SHOCKED that it is not being dealt with in GM 0.4.
Mark Pilgrim (18 July, 16:42:15 EDT):
This particular exploit is much, much worse than I thought. GM_xmlhttpRequest can successfully "GET" any world-readable file on your local computer. http://diveintogreasemonkey.org/experiments/localfile-leak.html returns the contents of c:\boot.ini, which exists on most modern Windows systems.
But wait, it gets worse. An attacker doesn't even need to know the exact filename, since "GET"ting a URL like "file:///c:/" will return a parseable directory listing. (And Mac users don't get to gloat either; you're just as vulnerable, starting with a different root URL.)
In other words, running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. Running a Greasemonkey script with "@include *" (which, BTW, is the default if no parameter is specified) can expose the contents of every file on your local hard drive to every site you visit. And, because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world.
Mark Pilgrim (18 July, 19:06:38 EDT):
Uninstall Greasemonkey altogether. At this point, I don't trust having it on my computer at all. I would think that whoever is in charge of addons.mozilla.org should immediately remove the Greasemonkey XPI and post a large warning in its place advising people to uninstall it.
Greaseblog today:
I'm working feverishly on a fix for this. But this will take several days. In the meantime, I strongly recommend that everyone either install Greasemonkey 0.3.5, or else disable or uninstall Greasemonkey completely. Greasemonkey 0.3.5 is a "neutered" version of Greasemonkey, lacking any of the GM* APIs which make Greasemonkey scripts more powerful than regular HTML. This means that scripts which depend on GM* APIs will fail with Greasemonkey 0.3.5. I have heard no reports of this flaw being exploited, but now that it's public knowledge it isn't safe to continue using any version of Greasemonkey other than 0.3.5. Please either upgrade to 0.3.5 or disable Greasemonkey until I can get a fix finished.
