Critical Security Vulnerability with GreaseMonkey (Firefox Extension)

GreaseMonkey is a popular Firefox extension which allows lots of great enhancements to your browser using third party GreaseMonkey scripts. Yesterday a serious security vulnerability was found which exposes the hard drive content of GreaseMonkey users to any website you visit. Windows as well as Mac users are affected. And there is more. Here are the gory details.

Summary
For the impatient here is the summary from GreaseBlog:

Yesterday, Mark Pilgrim discovered and announced a very serious security vulnerability in Greasemonkey. The flaw allows any website which matches at least one user script (even * scripts) to read any local file on your machine, or to list the contents of local directories. The flaw applies to Greasemonkey on all platforms.

I’m working feverishly on a fix for this. But this will take several days. In the meantime, I strongly recommend that everyone either install Greasemonkey 0.3.5, or else disable or uninstall Greasemonkey completely.

Gory Details
There was a known security issue which was raised by Mark Pilgrim:

Last week I showed that the complete text of every single one of your
locally-installed user scripts could be leaked to remote sites (
https://diveintogreasemonkey.org/experiments/script-leak.html ), and
the reaction from the GM developers was (paraphrasing) “Yeah, we know
about that, but we haven’t fixed it yet because it’s hard.”

Yesterday Godmar Back raised a question on the same topic but wrt. XmlHttpRequest:

Would the same concern apply to GM’s XMLHttpRequest object?

Could a malicious web site serve JavaScript that would create
connections to domains other than the domain from which it came if the
user has a GM script that is triggered for all pages, since the
GM_xmlhttprequest function object (or whatever it was called) will
then exist in the environment of the page?

Mark Pilgrim soon realized the full impact of this vulnerability. In his words:

This particular exploit is much, much worse than I thought.
GM_xmlhttpRequest can successfully “GET” any world-readable file on
your local computer.

https://diveintogreasemonkey.org/experiments/localfile-leak.html
returns the contents of c:\boot.ini, which exists on most modern
Windows systems.

But wait, it gets worse. An attacker doesn’t even need to know the
exact filename, since “GET”ting a URL like “file:///c:/” will return a
parseable directory listing. (And Mac users don’t get to gloat
either; you’re just as vulnerable, starting with a different root
URL.)

In other words, running a Greasemonkey script on a site can expose the
contents of every file on your local hard drive to that site. Running
a Greasemonkey script with “@include *” (which, BTW, is the default if
no parameter is specified) can expose the contents of every file on
your local hard drive to every site you visit. And, because
GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly
send this information anywhere in the world.

He soon came back with the suggestion to immediately uninstall GreaseMonkey (found via Anil Dash’s blog).

> So what is the short term strategy for not exposing yourself to
> malicious attacks, barring making the monkey frown until a real fix is
> released?
>
> I’ve already turned off all the scripts that run on every site. What
> else should I do?

Uninstall Greasemonkey altogether. At this point, I don’t trust
having it on my computer at all. I would think that whoever is in
charge of addons.mozilla.org should immediately remove the
Greasemonkey XPI and post a large warning in its place advising people
to uninstall it.

By the way, “Greasemonkey Hacks” is DEAD until we fix this. And I’m
posting a big red blinking warning on every page of
diveintogreasemonkey.org advising visitors to uninstall it, until all
of these security holes are closed. This is why God invented the
tag.

Good job Mark!