Firefox add-on lets surfers tweak sites, but is it safe?

A new Firefox extension that lets people customise their experience of the sites they visit is stirring excitement among Web surfers and consternation among security experts.

Greasemonkey, a new extension to the Mozilla Foundation's Firefox browser, lets people run what's known as a "user script," which alters a Web page as it's downloaded.

That capability has gained the extension an avid following of Web surfers who want to customise the sites they visit, removing design glitches and stripping sites of ads. But the extension comes with substantial security risks, and could stir trouble among site owners who object to individual, custom redesigns of their pages.

By manipulating the Dynamic HTML, or DHTML, of a Web page, Greasemonkey scripts can perform a host of tasks, according to the GreaseMonkey UserScripts page. They can, for example, transform story links on The New York Times site and take readers to ad-free, printable versions. They can also change Slashdot's colours and make the site "less ugly," the page says.

Others are designed to execute more substantial changes, such as making connections to Yahoo Mail and Gmail more secure. One, called "Butler," is meant to remove ads on Google results pages, add links to competing search sites, and removes image copy restrictions from Google Print.

In what could signal a trend toward user scripts, Norwegian browser maker Opera Software picked up the idea, adding the functionality to Beta 3 of Opera 8, acknowledging Greasemonkey.

The idea of letting Web site visitors alter pages they visit isn't new. Many pages use the World Wide Web Consortium's Cascading Style Sheets recommendation to let users do just that -- adjust the site's font size and colours and other style elements.

In other cases, Web sites have balked at alterations. Google, for example, got into hot water with some sites after its toolbar began inserting hyperlinks into pages through its AutoLink feature.

In 2001, Microsoft abandoned the Smart Tags feature in Windows XP, which would have linked words in a Web page to pages of Microsoft's choosing.

Regardless of how Web sites react to Greasemonkey -- Google wasn't immediately available for comment on the various Google-oriented Greasemonkey scripts -- the extension will have to face down substantial security concerns.

The trouble with Greasemonkey and user scripts in general is that scripts can be used for both good and ill, and end users scanning through lists of enticing scripts might fail to distinguish between malicious and benign code.

"A user JavaScript file can in no way harm your computer or stored data, but badly written files can slow down Opera, and malicious files can spy on your browsing," read the browser maker's caveat. "Never install and use a script library from someone you don't know and trust -- if in doubt post in the Opera forums, newsgroups or mailing lists and ask if the script you would like to use is well written and exploit-free."

User scripts also could facilitate password-stealing schemes, said security consultant Richard Smith, who runs the Computer Bytes Man Web site.

"The bad guys could likely create a script for stealing usernames and passwords in login forms using this tool," said Smith. "They would still need to break into someone's computer to install the script, but the tool would make the theft process much easier."

Aaron Boodman, the 26-year-old programmer in Seattle, who wrote Greasemonkey, declined to comment on the extension or on its security implications.

But in a recent posting to his Web site, he acknowledged its security liabilities, and worried that Greasemonkey was vulnerable to increasing notoriety.

"A hacker could create a script that does something users want, but also makes a call to the hacker's server sending your cookies to that machine," Boodman wrote. "He could even scan for password fields and upload those....At this point, I'm only comfortable because the (Greasemonkey) community is relatively small and techie. It would be difficult for a hacker to distribute a malicious script in this environment."

In his posting, Boodman said he was open to ideas on improving Greasemonkey's security.

For now, he urged caution along the same lines that Opera did.

"All I can say is that just like any other software, you should think a tiny bit before installing a user script," Boodman wrote. "Make sure the author is someone you trust, or at least in a social network you trust."

Previous Story

Yahoo mail goes 1GB

Next Story

Yahoo Desktop Search (beta)

Add Your Comment 1

Post comment as

Maarri posted a comment   

Data recovery programs, hard drive recovery tool to recover deleted file, formatted data and deleted partition. Best data recovery program can recover files and folder from FAT and NTFS file system and windows Vista.

Sponsored Links

Recently Viewed Products