A severe security hole in Firefox's Greasemonkey extension has been uncovered that exposes any file on a user's local hard drive to a hacker.
The vulnerability affects PCs and Macs and means a hacker does not need to know an exact file name before diving into a system. According to one online posting, typing something such as "file:///c:/" will return a parseable directory listing. Macs can be hacked in a similar way.
Mark Pilgrim, a coder and author writing about Greasemoney, told a Greasemonkey mailing list: "This particular exploit is much, much worse than I thought. GM_xmlhttpRequest can successfully "GET" any world readable file on your local computer.
"And because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world," Pilgrim warned.
Greasemonkey enables developers to add DHTML to a web page, in order to change that page's behavior.
Users have been advised to either completely un-install the Greasemonkey extension or downgrade to Greasemonkey to 0.3.5 - a "neutered" version that lacks the APIs making Greasemonkey scripts more powerful than regular HTML.
A fix is in development and expected to take a few days, according to Greaseblog - the Greasemonkey blog®