March 23, 2005 1:50 PM PST
Firefox add-on lets surfers tweak sites, but is it safe?
- Related Stories
Will Ajax help Google clean up?March 17, 2005
Fight over 'forms' clouds future of Net applicationsFebruary 17, 2005
Firefox fortune huntersNovember 17, 2004
(continued from previous page)
through lists of enticing scripts might fail to distinguish between malicious and benign code.
User scripts also could facilitate password-stealing schemes, said security consultant Richard Smith, who runs the ComputerBytesMan Web site.
"The bad guys could likely create a script for stealing usernames and passwords in login forms using this tool," Smith said. "They would still need to break into someone's computer to install the script, but the tool would make the theft process much easier."
Aaron Boodman, the 26-year-old programmer in Seattle who wrote Greasemonkey, declined to comment on the extension or on its security implications.
But in a recent posting to his Web site, he acknowledged its security liabilities, and worried that Greasemonkey would become vulnerable as a result of its increasing notoriety.
"A hacker could create a script that does something users want, but also makes a call to the hacker's server, sending your cookies to that machine," Boodman wrote. "He could even scan for password fields and upload those...At this point, I'm only comfortable because the (Greasemonkey) community is relatively small and techie. It would be difficult for a hacker to distribute a malicious script in this environment."
In his posting, Boodman said he was open to ideas on improving Greasemonkey's security.
For now, he urged caution along the same lines that Opera did.
"All I can say is that just like any other software, you should think a tiny bit before installing a user script," Boodman wrote. "Make sure the author is someone you trust, or at least in a social network you trust."
98 commentsJoin the conversation! Add your comment