Looks like some major ‘sploits have been identified for GreaseMonkey:
“…In other words, running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. Running a Greasemonkey script with “@include *” (which, BTW, is the default if no parameter is specified) can expose the contents of every file on your local hard drive to every site you visit. And, because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world.”
(From [Greasemonkey] greasemonkey for secure data over insecure networks / sites thread on GreaseMonkey developer list)
The general agreement on the list is to totally disable or uninstall GM for the time being… Eeek.
shame they don’t have black!
Uninstall GreaseMonkey or use version 0.3.5
Fire Greasemonkey was going to be the headline, but that didn’t seem to be direct enough so I changed to “Uninstall GreaseMonkey” which is Mark Pilgrim’s advice after the recent discovery that Greasemonkey has a major security …
Comments are closed.