Greasemonkey’s Slippery Side

By | July 20, 2005

Just in case you haven’t seen it elsewhere, it’s being recommended you uninstall Greasemonkey, a Firefox (and Opera) script tool, because of a serious flaw that serious flaw that leaves all your files vulnerable:

In other words, running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. Running a Greasemonkey script with “@include *” (which, BTW, is the default if no parameter is specified) can expose the contents of every file on your local hard drive to every site you visit. And, because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world.

They’re working on it, but for now it’s better to be safe than sorry.