[Greasemonkey] greasemonkey for secure data over insecure networks / sites

Mark Pilgrim pilgrim at gmail.com
Mon Jul 18 13:25:51 EDT 2005

On 7/18/05, Jeremy Dunck <jdunck at gmail.com> wrote:
> So, uh, the script leaking investigation isn't entirely for the glory
> of knowing.  It also sucks to leak private keys.

Last week I showed that the complete text of every single one of your
locally-installed user scripts could be leaked to remote sites (
http://diveintogreasemonkey.org/experiments/script-leak.html ), and
the reaction from the GM developers was (paraphrasing) "Yeah, we know
about that, but we haven't fixed it yet because it's hard."

I would now like to point out that every single piece of data stored
locally with GM_setValue can be leaked to remote sites.  Working
exploit here: http://diveintogreasemonkey.org/experiments/function-leak.html

I feel I've accumulated a fair amount of karma in this fledgling
community, and I'm going to burn some of it now by suggesting that
this is a BIG FUCKING DEAL and that I am TRULY SHOCKED that it is not
being dealt with in GM 0.4.


More information about the Greasemonkey mailing list