Closed Bug 291368 Opened 20 years ago Closed 20 years ago

Greasemonkey allows "carrot spoofing" of sites recording/displaying sensitive data

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED INVALID

People

(Reporter: kay.stoner, Assigned: dveditz)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050223 Firefox/1.0.1 StumbleUpon/1.9993
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050223 Firefox/1.0.1 StumbleUpon/1.9993

The Greasemonkey extension allows scripts to be written, which "hijack"
functionality on pages, enabling malicious code to redirect unsuspecting users
to pages which can collect their data (such as logins/passwords).

You can conduct "carrot spoofing" by creating a Greasemonkey script which does
something useful and helpful on the surface, but behind the scenes, does mischief.

Reproducible: Always

Steps to Reproduce:
1. Create a Greasemonkey script which does something useful like changing the
fonts/colors of a financial services site you use
2. Add in a few lines of javascript which replace the innerhtml of the Login
button with a command which redirects them to a site which collects their member
login and password.
3. Redirect them to a page which shows that the site they thought they were
logging into, is down. They will never be the wiser for your exploit PLUS they
will always think the site is down, whenever they use Firefox.
4. Put the script out there as an "enhancement" for the site in question, and
wait to collect the data.
Actual Results:  
I was able to redirect myself to another bogus page, which did the above, and
redirected to a bogus site-down page.

Expected Results:  
It should have kept an "unsigned" script from hijacking the actual html of my
web page for critical functionality.
Er... hijacking web pages is what Greasemonkey _does_. If that's not really
clear on the Greasemonkey download page, then it should be.

Greasemonkey isn't an official mozilla.org project, and any security risks
installing it and adding scripts produces are the responsibility of the
Greasemonkey developers and users.

GreasemonkIE is also available for IE, but no-one's suggesting it's Microsoft's
fault if people install dodgy scripts.

Gerv

The security risks of rogue greasemonkey scripts aren't exactly a secret (trade
press articles about it): clearing confidential flag.

Greasemonkey bugs should be reported to the greasemonkey project at
http://greasemonkey.mozdev.org, though this is a known issue that the
greasemonkey folks think can be handled with community policing if you stick to
scripts from well-known active repositories.

Not a bug in Firefox in any case.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.