Just in case you haven’t seen it elsewhere, it’s being recommended you uninstall Greasemonkey, a Firefox (and Opera) script tool, because of a serious flaw that serious flaw that leaves all your files vulnerable:
In other words, running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. Running a Greasemonkey script with “@include *” (which, BTW, is the default if no parameter is specified) can expose the contents of every file on your local hard drive to every site you visit. And, because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world.
They’re working on it, but for now it’s better to be safe than sorry.
A new Firefox extension that lets people customize their experience of the sites they visit is stirring excitement among Web surfers and consternation among security experts.
The extension, dubbed Greasemonkey, lets people run what’s known as a “user script,” which alters a Web page as it’s downloaded.
That capability has gained the extension an avid following of Web surfers who want to customize the sites they visit, removing design glitches and stripping sites of ads. But the extension comes with substantial security risks, and could stir trouble among site owners who object to individual, custom redesigns of their pages.
Have to admit I haven’t looked at greasemonkey, but it’s an interesting conundrum. Makes me wonder, too, about all the other extensions I’ve loaded into Firefox. It would be real easy, wouldn’t it, to put some sneaky stuff in there too? Why are we so afraid of any IE toolbar, or free browser add-on, but so happy to download extensions to Firefox from folk we don’t know, and who haven’t had to pass any tests?