Firefox add-on lets surfers tweak sites, but is it safe?

Greasemonkey extension lets surfers insert links, change a look and feel, and more. But at what cost to security?

Rip, mix--get burned?

That's one cautionary note making the rounds along with a popular new extension for Firefox that lets people customize Web pages they visit without the knowledge or cooperation of Web publishers. The extension, dubbed Greasemonkey, lets people run what's known as a "user script," which alters a Web page as the page is downloaded.

That capability has gained the extension an avid following of Web surfers who want to customize the sites they visit, removing design glitches and stripping sites of ads. But the extension comes with substantial security risks and could stir trouble among site owners who object to individual, custom redesigns of their pages.


What's new:
Greasemonkey, an add-on for the popular Firefox browser, lets surfers customize the sites they visit. Using the extension, one could, for example, jump directly to "printer-friendly," and ad-free, stories on news sites.

Bottom line:
The catch is that the type of scripts used to enable the customization can also be used by cyberthugs to make mischief on people's PCs. Caution, then, is advised.

More stories on Firefox

"Publishers for now seem to accept that it's OK for users to make some changes," said Danny Sullivan, editor of Search Engine Watch. "I can tell my browser not to run JavaScript, for example, and that could override what the publisher wants the page to do. But people are still struggling with where the line is. Some of these things may go to court, but I think in the long run publishers...will adapt...or develop other ways to combat it."

The idea of letting Web site visitors alter pages they visit isn't new. Many pages use the World Wide Web Consortium's Cascading Style Sheets recommendation to let users do just that--adjust colors, font sizes and other style elements.

Greasemonkey goes well beyond such superficial changes. Among other things, Greasemonkey can strip out ads, a feature that's sure to prove controversial with publishers, if it crosses over to the mainstream.

Web site customization tools that give Web surfers the ability to "rip and mix" Web page elements have drawn fire in the past when publishers balked at alterations. Google, for example, got into hot water with some sites after it released a toolbar that offers Web surfers the option of inserting hyperlinks into pages through its AutoLink feature.

In 2001, Microsoft abandoned the Smart Tags feature in Windows XP, which would have linked words in a Web page to pages of Microsoft's choosing.

By manipulating the Dynamic HTML, or DHTML, of a Web page, Greasemonkey scripts can perform a host of tasks, according to the GreaseMonkey UserScripts page. They can, for example, transform story links on The New York Times site and take readers to ad-free, printable versions. They can also change Slashdot's colors and make the site "less ugly," the page says.

Related story

Adding hyperlinks where
there weren't any before
is like hijacking a Web
site, some critics say.

Others are designed to execute more substantial changes, such as making connections to Yahoo Mail and Gmail more secure. One, called "Butler," is meant to remove ads on Google results pages, add links to competing search sites, and remove image copy restrictions from Google Print. (CNET's tests of various scripts showed that some were more successful than others at delivering promised results.)

In what could signal a trend toward user scripts, Norwegian browser maker Opera Software has picked up the idea, adding similar functionality to beta 3 of Opera 8, acknowledging Greasemonkey on its Web site.

Regardless of how Web sites react to Greasemonkey--Google wasn't immediately available for comment on the various Google-oriented Greasemonkey scripts--the extension will have to face down substantial security concerns.

The trouble with Greasemonkey and user scripts in general is that scripts can be used for both good and ill, and end users scanning

Featured Video