Firefox And The Greasemonkey On Its Back

Good piece by ZDNET on a Firefox add that -on lets surfers tweak sites, but is it safe?

A new Firefox extension that lets people customize their experience of the sites they visit is stirring excitement among Web surfers and consternation among security experts.

The extension, dubbed Greasemonkey, lets people run what’s known as a “user script,” which alters a Web page as it’s downloaded.

That capability has gained the extension an avid following of Web surfers who want to customize the sites they visit, removing design glitches and stripping sites of ads. But the extension comes with substantial security risks, and could stir trouble among site owners who object to individual, custom redesigns of their pages.

Have to admit I haven’t looked at greasemonkey, but it’s an interesting conundrum. Makes me wonder, too, about all the other extensions I’ve loaded into Firefox. It would be real easy, wouldn’t it, to put some sneaky stuff in there too? Why are we so afraid of any IE toolbar, or free browser add-on, but so happy to download extensions to Firefox from folk we don’t know, and who haven’t had to pass any tests?

23. March 2005 by jeremy
Categories: Security, Software, apps | Tags: , , , , , , , , | 2 comments

Comments (2)

  1. Well:
    A) Firefox requires extension signing
    B) Scripts you run from greasemonkey will still need to request elevated privileges (although it *is* true they could do a lot just messing with the site – I certainly intend to review scripts before running them).
    C) Extensions like greasemonkey aren’t quite as worrying when they’ve been on mozdev a good while, and more than a few people have used them. I don’t know about you but I *don’t* install random unsigned extensions from some website without browsing through the code first. At a minimum the installer and if possible, the javascript.

  2. Exactly what tests has Microsoft or any of the toolbar makers passed
    that makes them better and/or safer than Joe Blow extension writer?

    Have you looked at the MSN/Yahoo/AIM/Acrobat toolbars by any chance?
    I wouldn’t allow any of them to be installed on your computer let
    alone on a machine I maintain. I can almost allow the Google
    Toolbar because it serves a valid function if you use IE (pop-up
    blocking/searches) but all of my users are required to use Firefox
    or Safari.

    – Brad