Greasemonkey Insecure

Update: There’s a neutered version available until this bug can be fixed. Thanks to maca for pointing this out in the comments. I should also add that the maintainers are doing a great job sorting this problem out.

Since I’ve spouted here about the virtues of the Greasemonkey extension for Firefox, I should probably point out that, as of right now, Greasemonkey is completely insecure. That is, if you have it installed you should uninstall or disable it. I’m not kidding. There’s already a proof-of-concept exploit that demonstrates that any page that you run a Greasemonkey script on (which usually means any page at all since Greasemonkey scripts execute on all pages by default) can access any file on your computer and send its contents to any server.

Uninstall Greasemonkey altogether. At this point, I don’t trust having it on my computer at all. I would think that whoever is in charge of should immediately remove the Greasemonkey XPI and post a large warning in its place advising people to uninstall it.

Mark Pilgrim