[Greasemonkey] Bait and switch script installation
Nikolas Coukouma
lists at atrus.org
Thu Jun 16 03:17:35 EDT 2005
Alex Thomson wrote:
>Like most people, when I look at a user script and then go
>tools/Install user script, I expect the script that's installed to be
>the one I just saw. However, since GM re-downloads the script when
>you click Install, this isn't necessarily the case.
>
>Via mod_rewrite, http://example.com/script.user.js can return anything
>it wants, and not necessarily what it returned to you the last time
>you viewed the page. This is a security risk, no?
>
>-Alex Thomson
>
I just want to note that this is very spotty. The double request only
occurs if you view and then install the script. It also fails miserably
if they reload the source view for some reason. If you use a script
discovery mechanism (like, ahem, my "script finder"[1]), then it is
unlikely that the user will view and then install.
Still, you could achieve a decent rate of infection and that's a Bad
Thing. We already tell Firefox to pull from the cache if it can (without
violating the HTTP spec), but clearly we should pull the script source
that's currently displayed if you use Tools>Install This User Script...
[1] http://hacks.atrus.org/greasemonkey/
-Nikolas Coukouma
More information about the Greasemonkey
mailing list