aa-gm-functions.js on userjs.org
7 views
Skip to first unread message
T.BugReporter
Jun 24, 2008, 12:49:01 PM6/24/08
to greasemonkey-users
Do the Opera people have any clue how much of a security breach this
script is?
In Greasemonkey, GM_setValue and GM_getValue are, by definition,
private; their existence, let alone their contents, are known only to
the user and the browser. Cookies are, by definition, shared between
the browser and the server. By simulating these private objects with
cookies, you are causing Opera to transmit possibly sensitive
information to some server on the internet without the user's
knowledge or consent - information that the script writer expected
would remain private.
The Greasemonkey developers have worked long and hard to ensure that a
Web site manipulated by a Greasemonkey script CAN'T detect the
existence or use of that script (unless the script itself is poorly
coded); your Opera Gm fakeout script drives a big fat hole thru that.
Consider this scenario:
- I come across <http://nasty.example.com/>, and find some of what's
there to be of interest, but I also find using the site to be, well,
nasty.
- I write a Greasemonkey script to make the site less nasty to use -
one that happens to use GM_setValue and GM_getValue.
- I publish my script, and many other users of Nasty download it.
- Nasty gets wind of my script, and, being what they are, decides they
don't like the idea of people un-nastying their site - but they can't
do a thing about it, because they have no way to tell that it's
happening.
- Some Opera user gets a hold of my script, and decides he wants to
try it - only to find it's not fully compatible with Opera. He's not
a programmer, but does a little Googling, and finds this other script
that claims to make Greasemonkey scripts more compatible, installs it,
and, lo and behold, it (seemingly) works!
- Nasty starts noticing these strange cookies being transmitted to
their servers, and, while they may be Nasty, they're not dumb, so they
figure out that they can detect that detested Greasemonkey script
whenever someone's ignorant enough to install it on Opera.
- Nasty systematically shuts out all Opera users.
or worse,
- Nasty secretly collects the info transmitted in these cookies by
unwitting Opera users, and uses it in whatever way they can to make
those people's lives miserable.
So, in closing, what's the best way to detect this piece of crap in
order to avoid using it?
script is?
In Greasemonkey, GM_setValue and GM_getValue are, by definition,
private; their existence, let alone their contents, are known only to
the user and the browser. Cookies are, by definition, shared between
the browser and the server. By simulating these private objects with
cookies, you are causing Opera to transmit possibly sensitive
information to some server on the internet without the user's
knowledge or consent - information that the script writer expected
would remain private.
The Greasemonkey developers have worked long and hard to ensure that a
Web site manipulated by a Greasemonkey script CAN'T detect the
existence or use of that script (unless the script itself is poorly
coded); your Opera Gm fakeout script drives a big fat hole thru that.
Consider this scenario:
- I come across <http://nasty.example.com/>, and find some of what's
there to be of interest, but I also find using the site to be, well,
nasty.
- I write a Greasemonkey script to make the site less nasty to use -
one that happens to use GM_setValue and GM_getValue.
- I publish my script, and many other users of Nasty download it.
- Nasty gets wind of my script, and, being what they are, decides they
don't like the idea of people un-nastying their site - but they can't
do a thing about it, because they have no way to tell that it's
happening.
- Some Opera user gets a hold of my script, and decides he wants to
try it - only to find it's not fully compatible with Opera. He's not
a programmer, but does a little Googling, and finds this other script
that claims to make Greasemonkey scripts more compatible, installs it,
and, lo and behold, it (seemingly) works!
- Nasty starts noticing these strange cookies being transmitted to
their servers, and, while they may be Nasty, they're not dumb, so they
figure out that they can detect that detested Greasemonkey script
whenever someone's ignorant enough to install it on Opera.
- Nasty systematically shuts out all Opera users.
or worse,
- Nasty secretly collects the info transmitted in these cookies by
unwitting Opera users, and uses it in whatever way they can to make
those people's lives miserable.
So, in closing, what's the best way to detect this piece of crap in
order to avoid using it?
Anthony Lieuallen
Jun 24, 2008, 1:03:52 PM6/24/08
to greasemon...@googlegroups.com
On 6/24/2008 12:49 PM, T.BugReporter wrote:
> ... the Opera people ... Greasemonkey ...
>
> So, in closing, what's the best way to detect this piece of crap in
> order to avoid using it?
> ... the Opera people ... Greasemonkey ...
>
> So, in closing, what's the best way to detect this piece of crap in
> order to avoid using it?
Detect what? Are you asking how to do something with Opera's user
script manager? This being the greasemonkey mailing list, you're not
likely to find a lot of knowledge about it here. If you're asking
something else, please clarify, because all those paragraphs didn't make
it clear what the question really means.
If this helps at all:
alert(GM_getValue.prototype === Function.prototype);
Should probably be true for opera running this compatibility layer, but
not for GM. But I don't have opera or deep knowledge of how its user
script manager works.
T.BugReporter
Jun 24, 2008, 1:54:39 PM6/24/08
to greasemonkey-users
Okay, this is not a Greasemonkey problem - I get that - but it is a
problem for everyone who writes a Greasemonkey script, because any
script has the potential to be loaded into Opera, and if a script
fails to take Opera into account re: GM_setValue, it could result in
this security breach - and if it comes to bite someone, who are they
more likely to complain to - Opera, or the script's writer?
> This being the greasemonkey mailing list, you're not
> likely to find a lot of knowledge about it here.
This was a cross-post; I originally posted it at userjs.org, but
realized afterward that there's practically no one left to read it
over there.
> If this helps at all:
>
> alert(GM_getValue.prototype === Function.prototype);
No, it doesn't - both Firefox and Opera report "false" for this. Both
implement GM_setValue in JavaScript (Firefox within Greasemonkey,
Opera within this aa-gm-functions.js), but Opera's implementation
sucks, and there needs to be a way for a script to tell which
implementation is being used before using it (or not).
problem for everyone who writes a Greasemonkey script, because any
script has the potential to be loaded into Opera, and if a script
fails to take Opera into account re: GM_setValue, it could result in
this security breach - and if it comes to bite someone, who are they
more likely to complain to - Opera, or the script's writer?
> This being the greasemonkey mailing list, you're not
> likely to find a lot of knowledge about it here.
realized afterward that there's practically no one left to read it
over there.
> If this helps at all:
>
> alert(GM_getValue.prototype === Function.prototype);
implement GM_setValue in JavaScript (Firefox within Greasemonkey,
Opera within this aa-gm-functions.js), but Opera's implementation
sucks, and there needs to be a way for a script to tell which
implementation is being used before using it (or not).
T.BugReporter
Jun 24, 2008, 11:55:00 PM6/24/08
to greasemonkey-users
Here's a test that works for me (is there a better one?):
var GM_setValue_SAFE=(GM_setValue.toString().search(/cookie/i)==-1);
I strongly suggest that all script writers using GM_setValue in their
scripts (even scripts not targeting Opera) include this test in their
scripts.
var GM_setValue_SAFE=(GM_setValue.toString().search(/cookie/i)==-1);
I strongly suggest that all script writers using GM_setValue in their
scripts (even scripts not targeting Opera) include this test in their
scripts.
Reply all
Reply to author
Forward
0 new messages