2 min read

Buggy "Greasemonkey" Firefox Extension Should Be Deleted

The bug could allow an attacker to read any Web file on a Greasemonkey user's computer.
A vulnerability in the popular Greasemonkey extension to Mozilla's Firefox browser is so serious, said its developer, that users should either immediately uninstall the add-on or replace it with a neutered version.

Greasemonkey is an extension to Firefox that lets users change parts of a Web site with small bits of JavaScript. Hundreds of scripts exist, and range from one that eliminates all Flash objects to site-specific ones that, for instance, show prices in the user's local currency on Amazon.

The bug could let a malicious Web site read any local file on a Greasemonkey user's machine, or view the contents of all local drive directories, said Aaron Boodman, Greasemonkey's creator, on his blog.

"I'm working feverishly on a fix for this," said Boodman. "But [it] will take several days. In the meantime, I strongly recommend that everyone either install Greasemonkey 0.3.5, or else disable or uninstall Greasemonkey completely."

Greasemonkey 0.3.5 is a "neutered" version, added Boodman, that isn't open to exploit.

The bug was spotted by Mark Pilgrim, a programmer whose free e-book, Dive Into Greasemonkey," helped popularize the extension. Pilgrim also posted several working exploits to the vulnerability on's Greasemonkey mailing list.

"This particular exploit is much, much worse than I thought," Pilgrim wrote earlier this week on the list. "Running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. And Mac users don't get to gloat either; [they're] just as vulnerable. "At this point, I don't trust having it on my computer at all," Pilgrim continued in another message on the list. "I would think that whoever is in charge of should immediately remove the Greasemonkey XPI and post a large warning in its place advising people to uninstall it."

Mozilla didn't follow Pilgrim's advice, but did offer up Boodman's crippled 0.3.5 versions.

Although the Greasemonkey vulnerability isn't Firefox's fault -- the Mozilla Foundation does little to control the development of browser extensions -- it's the third public black eye for the popular browser in a matter of days.

Last week, the group announced that its SpreadFirefox marketing site had been hacked and members' information possibly compromised. This week, it noted that Firefox 1.0.5 had broken several extensions, forcing another update Tuesday to 1.0.6.

Greasemonkey 0.3.5 can be downloaded from the Web site.