Greasemonkey’s Slippery Side

Just in case you haven’t seen it elsewhere, it’s being recommended you uninstall Greasemonkey, a Firefox (and Opera) script tool, because of a serious flaw that serious flaw that leaves all your files vulnerable:

In other words, running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. Running a Greasemonkey script with “@include *” (which, BTW, is the default if no parameter is specified) can expose the contents of every file on your local hard drive to every site you visit. And, because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world.

They’re working on it, but for now it’s better to be safe than sorry.

Disclaimer

All opinions are my own, and not necessarily those of Thomson Reuters.

Reference

Categories

RSS loose wire blog