[Greasemonkey] greasemonkey for secure data over insecure
networks / sites
Mark Pilgrim
pilgrim at gmail.com
Mon Jul 18 13:25:51 EDT 2005
On 7/18/05, Jeremy Dunck <jdunck at gmail.com> wrote:
> So, uh, the script leaking investigation isn't entirely for the glory
> of knowing. It also sucks to leak private keys.
Last week I showed that the complete text of every single one of your
locally-installed user scripts could be leaked to remote sites (
http://diveintogreasemonkey.org/experiments/script-leak.html ), and
the reaction from the GM developers was (paraphrasing) "Yeah, we know
about that, but we haven't fixed it yet because it's hard."
I would now like to point out that every single piece of data stored
locally with GM_setValue can be leaked to remote sites. Working
exploit here: http://diveintogreasemonkey.org/experiments/function-leak.html
I feel I've accumulated a fair amount of karma in this fledgling
community, and I'm going to burn some of it now by suggesting that
this is a BIG FUCKING DEAL and that I am TRULY SHOCKED that it is not
being dealt with in GM 0.4.
--
Cheers,
-Mark
More information about the Greasemonkey
mailing list