CYBERSPACE – A new Firefox extension that allows web surfers to customize their surfing experience, is stirring up some excitement among web surfers. But, security experts are skeptical.The extension is dubbed “Greasemonkey” and allows surfers to run a “user script” which alters a web page as it’s downloaded.
The extension is gaining popularity among surfers who want to customize the sites they visit, allowing them to remove design flaws and get rid of ads on the site. Critics warn that the extension poses substantial security risks, and could cause trouble for site owners who object to having their sites essentially redesigned.
According to the Greasemonkey UserScripts page, Greasemonkey scripts can perform a variety of tasks by manipulating the webpage’s dynamic HTML or DHTML. They can transform story links from The New York Times and direct readers to ad-free versions. They also claim to allow users to change the colors at Slashdot to make the site “less ugly.”
Other scripts execute more significant changes, including making connections to Yahoo Mail and Gmail more secure. One script, called “Butler,” is designed to remove ads on Google results pages as well as add links to competing search sites.
The idea of changing webpages as surfers visit is not new. Webpages that use World Wide Web Consortium’s Cascading Style Sheets allow visitors to adjust the site’s font size, colors, and other style elements.
Not all websites welcome the changes. Google found itself in some hot water after its toolbar began inserting links through its AutoLink feature. In 2001, the Smart Tags feature in Windows XP, which linked words on a webpage to pages of Microsoft’s choosing, was dropped.
Despite the reactions of web site owners, Greasemonkey, and other user scripts, face significant security problems. Scripts can be sources of malicious code, and users who are not aware of the potential risks may not distinguish between good and bad code.
User scripts can facilitate password-stealing schemes, said security expert, Richard Smith from www.ComputerBytesMan.com.
“The bad guys could likely create a script for stealing usernames and passwords in login forms using this tool,” said Smith. “They would still need to break into someone’s computer to install the script, but the tool would make the theft process much easier.”
Aaron Boodman, the 26-year-old programmer in Seattle who wrote Greasemonkey, declined to comment on the extension or on its security implications. He acknowledged its security liabilities,
in a recent posting to his Web site, and worried that Greasemonkey was vulnerable to increasing notoriety.
“A hacker could create a script that does something users want, but also makes a call to the hacker’s server sending your cookies to that machine,” Boodman wrote. “He could even scan for password fields and upload those….At this point, I’m only comfortable because the (Greasemonkey) community is relatively small and techie. It would be difficult for a hacker to distribute a malicious script in this environment.”
Boodman also said he was open to ideas on improving Greasemonkey’s security. For the moment, he urged caution.
“All I can say is that just like any other software, you should think a tiny bit before installing a user script,” Boodman wrote. “Make sure the author is someone you trust, or at least in a social network you trust.”
