Firefox add-on lets surfers tweak sites, but is it safe?

Greasemonkey extension lets surfers insert links, change a look and feel, and more. But at what cost to security?

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
4 min read
Rip, mix--get burned?

That's one cautionary note making the rounds along with a popular new extension for Firefox that lets people customize Web pages they visit without the knowledge or cooperation of Web publishers. The extension, dubbed Greasemonkey, lets people run what's known as a "user script," which alters a Web page as the page is downloaded.

That capability has gained the extension an avid following of Web surfers who want to customize the sites they visit, removing design glitches and stripping sites of ads. But the extension comes with substantial security risks and could stir trouble among site owners who object to individual, custom redesigns of their pages.


What's new:
Greasemonkey, an add-on for the popular Firefox browser, lets surfers customize the sites they visit. Using the extension, one could, for example, jump directly to "printer-friendly," and ad-free, stories on news sites.

Bottom line:
The catch is that the type of scripts used to enable the customization can also be used by cyberthugs to make mischief on people's PCs. Caution, then, is advised.

More stories on Firefox

"Publishers for now seem to accept that it's OK for users to make some changes," said Danny Sullivan, editor of Search Engine Watch. "I can tell my browser not to run JavaScript, for example, and that could override what the publisher wants the page to do. But people are still struggling with where the line is. Some of these things may go to court, but I think in the long run publishers...will adapt...or develop other ways to combat it."

The idea of letting Web site visitors alter pages they visit isn't new. Many pages use the World Wide Web Consortium's Cascading Style Sheets recommendation to let users do just that--adjust colors, font sizes and other style elements.

Greasemonkey goes well beyond such superficial changes. Among other things, Greasemonkey can strip out ads, a feature that's sure to prove controversial with publishers, if it crosses over to the mainstream.

Web site customization tools that give Web surfers the ability to "rip and mix" Web page elements have drawn fire in the past when publishers balked at alterations. Google, for example, got into hot water with some sites after it released a toolbar that offers Web surfers the option of inserting hyperlinks into pages through its AutoLink feature.

In 2001, Microsoft abandoned the Smart Tags feature in Windows XP, which would have linked words in a Web page to pages of Microsoft's choosing.

By manipulating the Dynamic HTML, or DHTML, of a Web page, Greasemonkey scripts can perform a host of tasks, according to the GreaseMonkey UserScripts page. They can, for example, transform story links on The New York Times site and take readers to ad-free, printable versions. They can also change Slashdot's colors and make the site "less ugly," the page says.

Related story
Google toolbar move
raises online ire

Adding hyperlinks where
there weren't any before
is like hijacking a Web
site, some critics say.

Others are designed to execute more substantial changes, such as making connections to Yahoo Mail and Gmail more secure. One, called "Butler," is meant to remove ads on Google results pages, add links to competing search sites, and remove image copy restrictions from Google Print. (CNET News.com's tests of various scripts showed that some were more successful than others at delivering promised results.)

In what could signal a trend toward user scripts, Norwegian browser maker Opera Software has picked up the idea, adding similar functionality to beta 3 of Opera 8, acknowledging Greasemonkey on its Web site.

Regardless of how Web sites react to Greasemonkey--Google wasn't immediately available for comment on the various Google-oriented Greasemonkey scripts--the extension will have to face down substantial security concerns.

The trouble with Greasemonkey and user scripts in general is that scripts can be used for both good and ill, and end users scanning

through lists of enticing scripts might fail to distinguish between malicious and benign code.

"A user JavaScript file can in no way harm your computer or stored data, but badly written files can slow down Opera, and malicious files can spy on your browsing," browser maker Opera warns in a Web posting about the new feature in its latest beta. "Never install and use a script library from someone you don't know and trust--if in doubt, post in the Opera forums, newsgroups or mailing lists and ask if the script you would like to use is well written and exploit-free."

User scripts also could facilitate password-stealing schemes, said security consultant Richard Smith, who runs the ComputerBytesMan Web site.

"The bad guys could likely create a script for stealing usernames and passwords in login forms using this tool," Smith said. "They would still need to break into someone's computer to install the script, but the tool would make the theft process much easier."

Aaron Boodman, the 26-year-old programmer in Seattle who wrote Greasemonkey, declined to comment on the extension or on its security implications.

But in a recent posting to his Web site, he acknowledged its security liabilities, and worried that Greasemonkey would become vulnerable as a result of its increasing notoriety.

"A hacker could create a script that does something users want, but also makes a call to the hacker's server, sending your cookies to that machine," Boodman wrote. "He could even scan for password fields and upload those...At this point, I'm only comfortable because the (Greasemonkey) community is relatively small and techie. It would be difficult for a hacker to distribute a malicious script in this environment."

In his posting, Boodman said he was open to ideas on improving Greasemonkey's security.

For now, he urged caution along the same lines that Opera did.

"All I can say is that just like any other software, you should think a tiny bit before installing a user script," Boodman wrote. "Make sure the author is someone you trust, or at least in a social network you trust."