ASIACCS edition:2014 location:Kyoto, Japan date:2-4 June 2014
With the constant migration of applications from the desktop to the web, power users have found
ways of enhancing web applications, at the client-side, according to their needs.
In this paper, we investigate this phenomenon by focusing on the popular Greasemonkey extension which enables
users to write scripts
that arbitrarily change the content of any page, allowing them to remove unwanted features from web
applications, or add additional, desired features to them.
The creation of script markets, on which these scripts are often shared, extends the standard web security model
with two new actors, introducing novel vulnerabilities.
We describe the architecture of Greasemonkey and
perform a large-scale analysis of the most popular, community-driven, script market for Greasemonkey.
Through our analysis, we discover not only dozens of malicious scripts waiting to be installed
by users, but thousands of benign scripts with vulnerabilities that could be abused by attackers. In 58 cases,
the vulnerabilities are so severe, that they can be used to bypass the Same-Origin Policy of the user's browser
and steal sensitive user-data from all sites. We verify the practicality of our attacks, by developing a proof-of-concept exploit against a vulnerable user script with an installation base of 1.2 million users, equivalent to a ``Man-in-the-browser'' attack.