Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firefox Greasemonkey Extension Security Problem

CmdrTaco posted more than 9 years ago | from the uninstall-it-now-man dept.

Mozilla 443

Mr2001 writes "A recent thread on the Greasemonkey mailing list suggests that the popular Firefox extension is fatally insecure. It seems rogue pages can read any file from your disk and send it to any site, using an XmlHttpRequest. Time to uninstall GM?"

Sorry! There are no comments related to the filter you selected.

First Fucked up Post, Fuckers!! (1, Informative)

The_Fire_Horse (552422) | more than 9 years ago | (#13103341)

OMFG - I cannot believe that you are such a TOTAL FUCKING LOSER.

Yes, I am talking to you - the 'moderator' with the small penis and no clue - you know who you are - you are the only STUPID IDIOT reading this post, and ... look ... here he goes.... YES - this DUMB FUCKFACE has just wasted one of his precious mod points on modding down the first post.

Wow - what a DICKHEAD you are. Gee, I bet your mums proud though, isnt she? What? she thinks you are a total fuckhead as well? - well what do you know!

Re:First Fucked up Post, Fuckers!! (0, Troll)

The Cornishman (592143) | more than 9 years ago | (#13103522)

Precious mod points? Make sensible contributions, and you'll get more mod points, though what someone with no clue what to do with an apostrophe will do with mod points I do not know. Troll. And no, today I have no mod points. Goodbye.

ror (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13103592)

what a pissy fristy pisty.

It's about time (5, Funny)

rockytriton (896444) | more than 9 years ago | (#13103344)

It's about time people start writing some exploits for firefox!

http://www.dreamsyssoft.com [dreamsyssoft.com]

wtf (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13103347)

Nothing for you to see here. Please move along.

gauntlet (4, Funny)

Anonymous Coward | more than 9 years ago | (#13103352)

Rogue pages???

Quick, lets band together with a magician and a warrior and stomp those bow&arrow shootin mofos before they take over the internet!

Re:gauntlet (4, Funny)

adrianbaugh (696007) | more than 9 years ago | (#13103466)

You have been killed by a Firefox on Level 8 with 5439 Gold. RIP.

Re:gauntlet (0)

Anonymous Coward | more than 9 years ago | (#13103562)

Do you want your possessions identified? [y/N]

Re:gauntlet (5, Funny)

wuie (884711) | more than 9 years ago | (#13103497)

Yellow wizard needs patch badly.

Re:gauntlet (5, Funny)

TheScottishGuy (701141) | more than 9 years ago | (#13103508)

Blue browser is about to die.

Re:gauntlet (1)

ShyGuy91284 (701108) | more than 9 years ago | (#13103518)

LFG..... Lvl 23 Wizard. Primary weapon is Magic Missile. Wait, wrong window.....

Re:gauntlet (0)

Anonymous Coward | more than 9 years ago | (#13103580)

Maybe we can distract these Rogue pages with Gambit pages?

GreaseMonkey Problem (2, Funny)

RagingChipmunk (646664) | more than 9 years ago | (#13103356)

Damn Microsoft! No doubt this can be traced to a Bill Gates directed consipracy against rebel browsers.

Let's Throw MUD! (2, Insightful)

GuitarNeophyte (636993) | more than 9 years ago | (#13103457)

Although the "average user" won't be using the various plugins, Microsoft will still point to this as one more reason to say that FireFox isn't secure. Sure, FireFox has it's bugs. We need to get fixing them.

I'm not saying that FireFox is perfect. Obviously, it's not, and this article is a case in point. It's still the browser I use. For me, this is a warning to fix things or wait for them to stable up (oh yeah -- that mindset shown, I am a Debian user). But just like we use any little IE thing to say "See, IE is junk," this'll get used too.

*sigh* The joys of conflict.

Luke
----
Smarten up your stupider-than-you coworkers, send them to ChristianNerds.com [christiannerds.com]

Re:Let's Throw MUD! (1)

BaudKarma (868193) | more than 9 years ago | (#13103595)

Since this is GreaseMONKEY, wouldn't throwing poo be more appropriate?

Yeah, a security hole that lets a hacker read any file on your HD seems pretty serious. OTOH, it's a problem in an extension, not with Firefox itself, so I don't know how much blame should be directed to the 'fox team.

All I know is that since I don't use Greasemonkey, this doesn't affect me. Unlike most IE or Windows bugs, which seem to affect pretty much everyone.

Re:GreaseMonkey Problem (1)

bodester17 (892112) | more than 9 years ago | (#13103529)

As Firefox's popularity grows, its security problems will grow too. Once IE is de-throned, and firefox takes its place as the number one browser, hackers will turn all their attention to firefox because they want to affect as many users as possible.

Re:GreaseMonkey Problem (4, Funny)

wheany (460585) | more than 9 years ago | (#13103540)

Okay, how's this: Since Microsoft Internet Explorer has a dominant market share, people make pages that work on IE. Some of the pages do not work on Firefox since they use some functionality found only in IE. Greasemonkey can be used to alter some of those pages so that they work on Firefox again.

It's Microsoft's fault that people have to install insecure extensions to make web work like it should have worked in the first place.

Re:GreaseMonkey Problem (1)

James_Aguilar (890772) | more than 9 years ago | (#13103607)

I hope you're not serious.

1000 greasemonkies on a thousand keyboards... (2, Funny)

ScentCone (795499) | more than 9 years ago | (#13103357)

are going to produce some vulnerabilities along with the gee-whiz plugins of the moment. That's pretty spectacular, though.

More Ammo (5, Insightful)

GuitarNeophyte (636993) | more than 9 years ago | (#13103365)

Just more ammo for the mega-powers to say, "See, when it becomes mainstream, it becomes more insecure. Come back to windows."

Marvelous.

Luke
----
Be smart. Teach others. ChristianNerds.com [christiannerds.com]

Re:More Ammo (1)

schon (31600) | more than 9 years ago | (#13103379)

I'd hardly call Greasemonkey "mainstream" :o)

Re:More Ammo (4, Insightful)

ssj_195 (827847) | more than 9 years ago | (#13103412)

If they do (as they doubtless will), you can simply say that this is an optional extension used by a minority of Firefox users (and since not even Firefox is fully "mainstream", this puts it about as far from the mainstream as you can get :P), and there are currently no exploits in the wild. You can also add that it was found by a white-hat, and so is a validation of the "many-eyes" theory, if you want. Spin works both ways ;)

Re:More Ammo (4, Insightful)

arrow (9545) | more than 9 years ago | (#13103559)

The diffrence is your spin will never be heard by the media.

Re:More Ammo (5, Funny)

FidelCatsro (861135) | more than 9 years ago | (#13103425)

They can say "Come back to windows , no need for third party extensions for these types of flaws .They are built into MSIE/windows , It just works"

Re:More Ammo (1)

Nytewynd (829901) | more than 9 years ago | (#13103446)

"See, when it becomes mainstream, it becomes more insecure. Come back to windows."

First, Firefox isn't mainstream, let alone GreaseMonkey.

Second, I am already on windows.

Re:More Ammo (0)

Anonymous Coward | more than 9 years ago | (#13103597)

Opera besides having its own User Javascript feature can also run [opera.com] GreaseMonkey scripts.

Does it mean Opera can also be affected?

Why Uninstall? (5, Informative)

SenFo (761716) | more than 9 years ago | (#13103375)

"Time to uninstall GM?"

Why not just do what the article says and "Install Greasemonkey 0.3.5 [atrus.org] "

Re:Why Uninstall? (4, Insightful)

DrEldarion (114072) | more than 9 years ago | (#13103420)

See, you're making the (frequently-made) mistake of assuming that people actually read anything but the headline of the articles they're referencing.

Re:Why Uninstall? (4, Informative)

phasm42 (588479) | more than 9 years ago | (#13103427)

Because:
Greasemonkey 0.3.5 is a "neutered" version of Greasemonkey, lacking any of the GM* APIs which make Greasemonkey scripts more powerful than regular HTML. This means that scripts which depend on GM* APIs will fail with Greasemonkey 0.3.5.

Re:Why Uninstall? (2, Insightful)

tgd (2822) | more than 9 years ago | (#13103511)

I bet you a dollar those scripts won't work if you uninstall GreaseMonkey, too.

Re:Why Uninstall? (0)

Anonymous Coward | more than 9 years ago | (#13103560)

And those same scripts that rely on the GM API still work if you uninstall GM?

Re:Why Uninstall? (1)

suitepotato (863945) | more than 9 years ago | (#13103599)

You may not like it, but if you think about the facts of the modern world, neutered greasemonkeys will cut down on overpopulation and homeless and unwanted greasemonkeys. By spaying and neutering greasemonkeys, we're helping to humanely control the population.

What? ... Oh. Nevermind...

Re:Why Uninstall? (0)

Anonymous Coward | more than 9 years ago | (#13103438)

0.3.5 just disables a lot of stuff--it's not a fix.

Re:Why Uninstall? (1, Informative)

Anonymous Coward | more than 9 years ago | (#13103451)

Advice [mozdev.org] from the person who discovered the bug:
Uninstall Greasemonkey altogether. At this point, I don't trust having it on my computer at all. I would think that whoever is in charge of addons.mozilla.org should immediately remove the Greasemonkey XPI and post a large warning in its place advising people to uninstall it.
The original message where he found and wrote about the bug is here [mozdev.org] .

Re:Why Uninstall? (2, Informative)

psycho_tinman (313601) | more than 9 years ago | (#13103452)

Well, this is the recommended course of action. However, Greasemonkey 0.3.5 is crippled. It does not contain the special GM_ functions so the majority of scripts will break.

Anything that uses GM_XMLHttpRequest, GM_setValue or GM_getValue or GM_Log will not function. It was the developers attempt to make sure that no remote exploits popped up while they were working on the best possible fix.

So, no. Don't install the update and expect things to function normally, they will not.

Re:Why Uninstall? (3, Interesting)

CdBee (742846) | more than 9 years ago | (#13103525)

Just install NoScript and you're sorted. It will stop any script - Greasemonkey or otherwise - running on any site except those you whitelist. I'm sure most of us only use scripts on sites we trust anyway

Re:Why Uninstall? (2, Informative)

Col. Bloodnok (825749) | more than 9 years ago | (#13103577)

Well, 'Slashdot Recolor' and 'Butler' work fine under 0.3.5.

That's all I need.

Re:Why Uninstall? (1)

BabyDave (575083) | more than 9 years ago | (#13103463)

Yes, if there's one thing you should do after an extension is found to be insecure, it's install "the updated version" from some random guy's website. What you should really do is e-mail it to people, like Microsoft do with all their important security patches.

Re:Why Uninstall? (1)

harvardian (140312) | more than 9 years ago | (#13103586)

As far as any normal user is concerned, there is no GM update, since going to the Extensions manager and clicking update for GM yields "Firefox was not able to find any available updates" (this is the case for me at least).

In fact, as far as anybody should be concerned there is no installable update. I'm not about to install some random-ass XPI just because it claims to be a GM "fix".

As much as I like using it, I'm uninstalling. And this gives me the willies about all those semi-random but cool extensions that have made the Firefox experience so great for me. This is very bad.

What should be done. (4, Insightful)

sykjoke (899173) | more than 9 years ago | (#13103376)

The firefox guys should have realized that extensions are a HUGE security threat, possibly even worse than anything that's come out of IE. What they should have done is setup some permissions from the first place, so that you can allow or prevent extensions from performing sensitive operations. Something similar to the Java security model would have been good enough

Re:What should be done. (3, Insightful)

cybersaga (451046) | more than 9 years ago | (#13103440)

This is why Firefox makes you whitelist a site before downloading an extension.

Forcing you to intentionally accept extensions is not a big security threat at all.

This is just a bug. Bugs happen. It's been fixed already.

Re:What should be done. (1)

strider44 (650833) | more than 9 years ago | (#13103509)

Though the whitelist brings in its own problems when you want to install from a site that's not in the whitelist. Is there any way of doing a one-off installation from a site not in the whitelist? There are quite a few pages where I'd like to install a single extension but not allow the page to install whatever it likes on my computer!

Re:What should be done. (1)

idonthack (883680) | more than 9 years ago | (#13103547)

Open up the options/preferences menu. Windows, I think it's Tools - Options, for Linux, I think it's Edit - Preferences. Click on the "Web Features" icon on the left. There'll be a line that says "Allow sites to install software" or something similar. Click the "Allowed Sites" button on the right to access the whitelist. You can add/remove sites from there.
---
I started with nothing and I still have most of it left.
Generated by SlashdotRndSig [snop.com] via GreaseMonkey [mozdev.org]

Re:What should be done. (1)

strider44 (650833) | more than 9 years ago | (#13103587)

but that gives permanant enabling of the site to install whatever they want on my computer. I'd like it just to install once...

The best solution in my opinion is to have the same context menu as blocked popups. "Install this software" when you click on the banner up the top that says it has stopped the page trying to install an extension on your computer.

Re:What should be done. (1)

idonthack (883680) | more than 9 years ago | (#13103628)

The point of my instructions were so that right after you allow that site (I assumed you did it by clicking the button on the little bar that pops up) you could go and disable it.

You're right, it would be infinitely better if we could do a one-time allow, but that functionality isn't currently there. There might be an extension, though :)
---
I'm not a very effective viral sig. Please help me spread.
Generated by SlashdotRndSig [snop.com] via GreaseMonkey [mozdev.org]

Re:What should be done. (1)

slashdotnickname (882178) | more than 9 years ago | (#13103551)

One only has to look at how much functionality was stripped off the latest GM to realize there was no solid security mechanism in place.

It's not "just a bug" but a major design flaw.

Re:What should be done. (1)

Moo Moo Cow of Death (778623) | more than 9 years ago | (#13103470)

Extensions aren't the security threat, users who download everything they see without minimal research pose security threats :P

Re:What should be done. (1)

sykjoke (899173) | more than 9 years ago | (#13103581)

Well, if Firefox came OOTB with reasonable restrictions on what extension can do users could still download anything, and be warned when that anything tries to do something it shouldn't be doing. When was the last time a Java applet posed a security risk or required you to change your security settings?

Re:What should be done. (3, Insightful)

Buzz_Litebeer (539463) | more than 9 years ago | (#13103536)

That is incredibly uninformed. IE can run Browser Helper Objects, and they can (many times) be installed completely silently. A cleverly written BHO can steal all information you are entering into your computer, even if it is unrelated to actual browsing, depending how clever the person is in writing it. They are a pain to uninstall as well. Extensions for firefox are uninstallible from a menu, and they are whitelisted before they ever get to you, so that you can avoid some of the fly by installs that BHOS enjoy.

Re:What should be done. (2, Interesting)

Anonymous Coward | more than 9 years ago | (#13103544)

I agree completely!

I have stated it here before:

Just like ActiveX controls proved a hole in IE, FireFox's extensions would eventually prove a hole in the XUL based 3rd party FireFox extensions arena now & this browser itself, & thus, your OS etc. as well via this gateway.

This is/was 1 thing FireFox imo, had on Opera (my 'browsing weapon-of-choice' online because it wins the speed test comparisons between them all in the most areas typically, but also because it is the LEAST attacked browser as well that shows the fewest holes per year & is by default, just as feature-laden as IE or FireFox (in their defaults), perhaps even moreso in the latest 8.02)...

BUT, now, that 3rd party development is starting to show some faults in it, like this one. Maybe, just maybe, history was the example in IE... of things NOT to do in browsers.

BUT, on the other hand? ActiveX controls extensions of IE, &/or FireFox?? Give it a LOT more power/ability too!

(Double-edged sword this topic, imo!)

Sure, the 3rd party folks EVENTUALLY patch for it, but this is only 1 that's been discovered... how many others are there potentially?

(Perhaps the Mozilla folks have to setup some kind of "Quality Assurance" test prior to users submitting their stuff to their pages for extensions to firefox if they don't have one already of somekind? Would this even help?? Who knows!)

There are, after all, many hundreds of these things (firefox extensions, when I rarely use FireFox, it is loaded with 30 of them that I found useful/excellent, but some ARE slow to load & tend to slowdown FireFox unfortunately)

Yes again: They DO tend to make FireFox alot more powerful than by default (but, load TOO many or the slower ones? You LAG, & bad @ startup)...

This posting however, just again evidences what I personally thought would eventually show holes/vulnerabilities in FireFox...

Just as ActiveX did for IE.

APK

P.S.=> Is this a "big deal"? Yes, & No... if the makers of it patched for it quickly?? Then not. If there was a large "Window of Opportunity for exploiting it" (relative term time-wise), then yes it was... depends on your viewpoint, & if in fact, you used this FireFox extension, right? apk

Re:What should be done. (0, Offtopic)

interiot (50685) | more than 9 years ago | (#13103631)

Please post as a logged-in person, so I can see if you always talk like that. And if you really do always talk like that, log in so I can put you in my "Foes" list.

Exactly! (2, Insightful)

GillBates0 (664202) | more than 9 years ago | (#13103632)

I would've typed in an almost identical comment had I not bothered to RTFC.

No matter how secure the core Firefox code is, it is all meaningless with the current extensions model. With the current model (or lack of one) a malicious (or plain buggy) extension can turn Firefox into a bigger threat than IE.

From my understanding, Firefox extensions aren't restricted from doing I/O or listening on sockets/etc. What's to prevent somebody from writing a seemingly harmless extension which silently dumps all activity logs or other information to an outside listener?

A Java type sandbox model, while a reasonable analogy would IMHO be overly restrictive for extensions, which need to be more closely tied into Firefox than most Java applets need to be to do all the cool things that they currently do (eg: the Tabbrowser Extension) .

Browsers are hopelessly brain damaged (0)

Anonymous Coward | more than 9 years ago | (#13103651)

They're beyond recovery at this point since everyone wants all the kewl extension stuff and there are an endless supply of idiots who think they can just patch pass a fundemental flaw in security. Yes you want a secure sandbox but it won't be possible at this point. You need to drop back to a more secure point of defence. It won't be the OS, not if windows is any indication of lack of security. It would have to be something at the hardware or virtual hardware level. So a dedicated browser machine running in a dmz or on a virtual machine without access to any sensitive files or resources. I'm not too familiar with VMWare but the mainframe vm's were all about security.

Fixed? (2, Informative)

A Dafa Disciple (876967) | more than 9 years ago | (#13103378)

According to Firefox extensions site [mozilla.org] , you need to "uninstall or upgrade now." The post is from today.

Re:Fixed? (2, Informative)

notreallynas (714307) | more than 9 years ago | (#13103428)

From the GreaseBlog [blogspot.com] :
Greasemonkey 0.3.5 is a "neutered" version of Greasemonkey, lacking any of the GM* APIs which make Greasemonkey scripts more powerful than regular HTML. This means that scripts which depend on GM* APIs will fail with Greasemonkey 0.3.5.

Re:Fixed? (0)

Anonymous Coward | more than 9 years ago | (#13103471)

That's not much of an upgrade...

Greasemonkey ? (0)

Anonymous Coward | more than 9 years ago | (#13103384)

...so should it have been named SnakeOil?

Opera's answer... (2, Informative)

TheJavaGuy (725547) | more than 9 years ago | (#13103386)

Time to try out Opera's User JavaScript [userjs.org] .

Re:Opera's answer... (1)

nicomen (60560) | more than 9 years ago | (#13103432)

Well it has a good focus on security and works like a charm at least ;)

What did they expect? (4, Interesting)

Nytewynd (829901) | more than 9 years ago | (#13103391)

If you build an engine that allows you to write scripts that modify any page you view, there are obviously serious security flaws.

Allowing scripts to open files and send them elsewhere is especially bad, but there was a huge security concern to me either way. I like the concept of GreaseMonkey, but choose not to install it.

Possible solution - NoScript extension is great ! (5, Interesting)

CdBee (742846) | more than 9 years ago | (#13103494)

I use Greasemonkey in conjunction with NoScript [noscript.net] - an extension which prevents any site from using Javascript unless it is added to the whitelist maintained in the extension.

To run a Greasemonkey script on a page you have to allow that domain or subdomain in NoScript. This prevents Greasemonkey being used on a rogue page as I wouldn't use a script on an uber-dodgy site anyway!.

Problems everywhere (0, Redundant)

mfloy (899187) | more than 9 years ago | (#13103393)

This jsut goes to show the Microsoft isn't the only company who writes insecure software. I seriously doubt any company can write 100% secure software, so I base my judgement on if they can quickly fix holes that are found and learn from their mistakes.

Re:Problems everywhere (1)

ssj_195 (827847) | more than 9 years ago | (#13103576)

Couldn't agree more - if you have a rapidly evolving product (i.e. you are not coding to a comprehensive, rigidly-defined spec), then you will introduce security vulnerabilities. Even if you create less than your contemporaries, this doesn't really help matters - all would-be exploiters need is one remote code execution, and it's all for naught.

The good thing, of course, is that malware tailored to a specific exploit takes time to craft and widely deploy, so very rapid patching can act as a deterrent (remember that story from a while back that stated that attacks on Linux are decreasing, despite its increasing market share?). Popularity of a platform is obviously a factor in targetting software (and yes, I firmly believe that Windows IE are targetted more than Firefox and Linux, although don't necessarily agree with the corollary that we'd have a comparable malware epidemic if the two switched places), but another is how easy a vulnerability is to exploit, and how long the malware purveyors can count on it being unpatched across a wide range of machines. If a platform offers little in the way of "low-hanging fruit", only the most ardent will persist - the rest will move on to greener pastures.

More details on the exploit... (5, Interesting)

octaene (171858) | more than 9 years ago | (#13103394)

Here are some more details from the posting thread, which explains why the exploit is so bad...

This particular exploit is much, much worse than I thought. GM_xmlhttpRequest can successfully "GET" any world-readable file on your local computer.

http://diveintogreasemonkey.org/experiments/localf ile-leak.html [diveintogreasemonkey.org] returns the contents of c:\boot.ini, which exists on most modern Windows systems.

But wait, it gets worse. An attacker doesn't even need to know the exact filename, since "GET"ting a URL like "file:///c:/" will return a parseable directory listing. (And Mac users don't get to gloat either; you're just as vulnerable, starting with a different root URL.)

In other words, running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. Running a Greasemonkey script with "@include *" (which, BTW, is the default if no parameter is specified) can expose the contents of every file on your local hard drive to every site you visit. And, because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world.

The above information posted originally by Mark Pilgrim [mozdev.org]

Re:More details on the exploit... (2, Insightful)

markov_chain (202465) | more than 9 years ago | (#13103537)

OMG! I hope I don't get exploited... or the attackers may get hold of this exciting information:

bin boot dev etc home initrd lib lost+found man media misc mnt opt proc root sbin selinux srv sys tftpboot tmp usr var

Re:More details on the exploit... (1)

idonthack (883680) | more than 9 years ago | (#13103610)

Running a Greasemonkey script with "@include *" (which, BTW, is the default if no parameter is specified) can expose the contents of every file on your local hard drive to every site you visit.
So don't let your scripts use that include. Just set it to only the trusted sites it was intended for, it probably doesn't work anything else anyways. Also don't use any scripts that do net-wide things like adblocking, use a separate extension for those because it's more customizeable and it doesn't have problems like this.
---
If nobody notices, it's not illegal.
Generated by SlashdotRndSig [snop.com] via GreaseMonkey [mozdev.org]

Here's TFA (3, Informative)

RamboIII (899894) | more than 9 years ago | (#13103396)

Important Announcement

A severe security issue has been discovered in Greasemonkey versions prior to 0.3.5 as well as the early 0.4 alphas which some people may have installed.

Install Greasemonkey 0.3.5 or uninstall Greasemonkey immediately.

More information on Greaseblog.

Greasemonkey is a Firefox extension which lets you to add bits of DHTML ("user scripts") to any web page to change its behavior. In much the same way that user CSS lets you take control of a web page's style, user scripts let you easily control any aspect of a web page's design or interaction.

For example, you could:
Make sure that all URLs displayed in the browser are clickable links Improve the usability of a site you frequent Route around common and annoying website bugs Use the Coral content network selectively.

Getting started:
Install Greasemonkey 0.3.5. Learn how to use Greasemonkey. Find useful scripts.

Greasemonkey was heavily inspired by Adrian Holovaty's site-specific extension for All Music Guide and the conversation which ensued after he published it. There were tons of sites I wanted to create SSE's for, but fully-fledged firefox extensions proved too cumbersome. I wanted it to be as easy to create an SSE as it is to write DHTML.

The current maintainers are Aaron Boodman and Jeremy Dunck with the invaluable help of an awesome community of user script enthusiasts.

For questions or comments about greasemonkey, please send a message to the greasemonkey mailing list. Copyright © 2000-2005. All rights reserved. Terms of Use & Privacy Policy.

Notice hoe they avoid explaining the problem/solution. They just want you to see these new exciting features, and download it now!

Finally (1)

Pizentios (772582) | more than 9 years ago | (#13103397)

From the Thread.

This is why God invented the tag.


Finally a good reason to use it!

Re:Finally (1)

paz5 (542669) | more than 9 years ago | (#13103531)

**blink**
**blink**

oops I mean <blink></blink>

Our Fault (4, Funny)

Comatose51 (687974) | more than 9 years ago | (#13103403)

This is why God invented the tag.

We can blame God for all kinds of things like hurricanes and Godzilla but it's a safe bet that we brought THAT scourge upon ourselves.

Re:Our Fault (1, Informative)

Anonymous Coward | more than 9 years ago | (#13103627)

for clarification, the parent is referring to the article that says at the bottom "This is why God invented the <blink> tag.", you just cant see the blink-part since the parent didnt post in extrans.

Windows Feature? (1)

datadriven (699893) | more than 9 years ago | (#13103417)

Is this a Windows only feature, or do us linux users get to enjoy it also?

Is that really a problem? (1)

nrlightfoot (607666) | more than 9 years ago | (#13103422)

Personally, someone could read my entire hard drive and it wouldn't bother me much. I don't keep sensitive information on my computer, because any computer connected to the internet should be considered insecure.

Re:Is that really a problem? (3, Funny)

grasshoppa (657393) | more than 9 years ago | (#13103458)

Personally, someone could read my entire hard drive and it wouldn't bother me much. I don't keep sensitive information on my computer, because any computer connected to the internet should be considered insecure.

Nice try Bill, we know it's you.

Re:Is that really a problem? (2, Funny)

ArsenneLupin (766289) | more than 9 years ago | (#13103579)

because any computer connected to the internet should be considered insecure.

You know, there are also other OSes than windows...

The next messge in the thread is worrisome (-1, Flamebait)

tomhudson (43916) | more than 9 years ago | (#13103467)

Its the next one that people should be alarmed about.
I found out that since Greasemonkey is distributed on
addons.mozilla.org it will automatically update itself, even though I
didn't put that in the code.

Neat. I'm going to upload the neutered versions at 7pm PST. It'd be
great if people could poke it a little before then.
It should be up to the individuals to decide if they want to make such significant mods to their system as purposefully crippling software.

If the Bitch from Redmond pulled a stunt like that, we'd be all over them like viruses on a Windows Box.

Purposefully breaking an app because of a possible exploit is arrogant, dishonest, alarmist, and just plain stupid. If we applied the same thinking to all other areas of our life, we wouldn't be able to do anything, paralyzed by possible fear of a possible bad meal, a potential flat tire, a possible power failure.

Re:The next messge in the thread is worrisome (2, Informative)

Anonymous Coward | more than 9 years ago | (#13103534)

Calm down? What that means is people will be alerted by the Mozilla update feature that an update is available. They can still not update. But this is a GOOD THING since not everyone who uses GM reads slashdot or the GM web site!

Re:The next messge in the thread is worrisome (1)

tomhudson (43916) | more than 9 years ago | (#13103616)

Disabling software w/o the users informed consent is a crime in several jurisdictions, including the one I live in.

There's a proper way to handle exploits. Disabling a piece of software under the guise of an "update" wasn't the way to do it.

Re:The next messge in the thread is worrisome (1)

LordBodak (561365) | more than 9 years ago | (#13103649)

No one is forcing you to update. If you see an upgrade is available for Greasemonkey on your Firefox updates list, it's your responsibility to go see what was changed before installing.

Re:The next messge in the thread is worrisome (0)

Anonymous Coward | more than 9 years ago | (#13103564)

you're an idiot.

Um, you don't actually use Firefox do you? (3, Informative)

mcc (14761) | more than 9 years ago | (#13103603)

It should be up to the individuals to decide if they want to make such significant mods to their system as purposefully crippling software.

You mean like in Firefox, where when updates are available all the auto-update feature does is display a little "updates available" icon in a browser window, then offer to install the updates when you click the icon?

But, but, but (1, Funny)

TheAncientHacker (222131) | more than 9 years ago | (#13103472)

It's open source so millions of eyes have studied it to make sure it's secure...

Re:But, but, but (4, Informative)

Koiu Lpoi (632570) | more than 9 years ago | (#13103569)

You're correct. It was discovered by a white hat.

Re:But, but, but (0)

Anonymous Coward | more than 9 years ago | (#13103573)

That's the benefit of open source. Anyone can look at it that wants to. Of course, that doesn't mean anyone actually WILL look at it.
Oh, and because it's open source it's been checked for copyright infringement as well. SCO has given the all clear.

ING (3, Insightful)

samjam (256347) | more than 9 years ago | (#13103606)

StudyING it (it takes time) and they HAVE found it is not secure, just like the millions of eyes are supposed to do.

One of them is bound to notice, eh?

So it works! Sweet!

Sam

mozilla update down ? (0)

Anonymous Coward | more than 9 years ago | (#13103477)

looks like mozilla update is down !!
ahh ahh!!

every thing said and done... all softwares are as buggy if not worse than microsoft products

Uninstall / Remove (2, Interesting)

dhanes (735504) | more than 9 years ago | (#13103482)

After all of a quick 3 minute search of Pilgrim's site and Firefox, I can't find any directions as to how to actually uninstall or remove greasemonkey.

Would anyone have that info to post?? Thanx

Re:Uninstall / Remove (1)

uf22 (521280) | more than 9 years ago | (#13103591)

1) Tools -> Extensions
2) Click on Greasemonkey in the list
3) Click on the "Uninstall" button on the bottom
4) Restart Firefox

If I'm not terribly mistaken (1)

mcc (14761) | more than 9 years ago | (#13103620)

Under the "Tools" menu in firefox there should be an "Extensions" menu item. It will pull up a list of the extensions you have installed. You can choose Greasemonkey from that list and hit the "uninstall" or "update" buttons.

Re:Uninstall / Remove (3, Informative)

AnObfuscator (812343) | more than 9 years ago | (#13103622)

Go to "tools", go to "Extensions", click on the greasmonkey extension and click "uninstall" or "update".

Rock paper cissors (3, Funny)

Arthur B. (806360) | more than 9 years ago | (#13103485)

Firefox burns greasemonkey cuz it's made of fat But Seamonkey beats firefox because it extinguishes the fire. Then Greasemonkey beats seamonkey because it can float in water AND walk on land. my 2.56 cents

no, Time to stop browsing as root! (2, Insightful)

gwait (179005) | more than 9 years ago | (#13103490)

Oh, wait I don't browse as root already!
Guess it can't access "all" the files on my system then, can it?

Re:no, Time to stop browsing as root! (1)

The Cornishman (592143) | more than 9 years ago | (#13103630)

TFA says "all world-readable files" but I suspect it means all files readable in the Firefox user context.

A HELPFUL TRANSACTION. (5, Insightful)

Anonymous Coward | more than 9 years ago | (#13103507)

(MAN) Sirs, I am in dire need of a web-browser! The one thus furnished to me by Mr. Gates of Redmond is rickety and unsafe, and prone to inviting the most deadly of spy-ware into my parlor!
(MOZILLA SOCIETY REPRESENTATIVE) Why, good sir, we shall help you forthwith! We have exactly the web-browser that you need! It has been engineered to the most careful of specifications, and its security is without compare!
(MAN) Why then I shall have one immediately!

(LATER)

(RANDOM STREET URCHIN) Sir, I see that you have this day procured a web-browser, which I see under your arm. May I convince you to also take this complex contraption of my own invention, which will attach to your web-browser as a "plug in"?
(MAN) What, what? An inscrutable device of unclear ultimate function furnished by a stranger of whom I know nothing? Yes, yes, why not. Now run along, lad.

(LATER THAT NIGHT, THE CONTRAPTION PROVIDED BY THE STREET URCHIN EXPLODES, SETTING THE WEB BROWSER AFLAME.)

(MAN) What's this? Oh, mama! The web-browser I have this very day recieved from the Mozilla Society has immolated, consuming my drapes and lighting my house aflame. They told me it was secure! Lies! Betrayal! Those Mozilla Society rapscallions! I'll give them what for!

Monkeys (1)

mcwidget (896077) | more than 9 years ago | (#13103523)

Never send a Monkey to do a Gorilla's job or at least give him double the bananas. That's what I always say.

mcwidget.

Like you need FF and Gm installed (1)

munrom (853142) | more than 9 years ago | (#13103561)

I mean the number of people that leave their administrator account still called administrator and with either a blank password or just "password" you don't need obscure exploits to get sensitive data of most people's computers.

If we were Microsoft (2, Insightful)

Felinoid (16872) | more than 9 years ago | (#13103605)

"It's not a bug it's a feature" are quite likely words never actually spoken by any representive of Microsoft.
However there is a reason for this attatude.

Bug that makes it possable to run code on remote users box:
Users say "Oh no bug bug. Get rid of it"
Develupers say "Ohh feature feature keep it, expand it"
Security experts say "Bug"

If the develupers provide a strong enough argument the "bug" is classified as a feature and remains.

Isn't it the same? (1)

Blitzenn (554788) | more than 9 years ago | (#13103621)

Isn't this a huge hole in firefox as a whole? What is to stop extensions from being added to my browser that open it up to malicious content? Isn't this the same as the problems that IE has? IE is fine until you start allowing plug-ins, add-ons and scripts. What is to stop a script from running that adds in malicious extensions or plugins to firefox? Turn off the feature? I can do that in IE too? Am I missing something here or isFirefox no more secure that Firefox?

hold on a sec (1)

ramunas (771197) | more than 9 years ago | (#13103633)

Isn't XMLHTTPRequest only supposed to work within a single domain (e.g. I can't send any requests from one of my servers to one of my blogs)? If so then why has this become a problem? And why some developers have disabled some security measures built in by other developers into the object?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?