A severe security hole in Firefox's Greasemonkey extension has been uncovered that exposes any file on a user's local hard drive to a hacker.

The vulnerability affects PCs and Macs and means a hacker does not need to know an exact file name before diving into a system. According to one online posting, typing something such as "file:///c:/" will return a parseable directory listing. Macs can be hacked in a similar way.

Mark Pilgrim, a coder and author writing about Greasemoney, told a Greasemonkey mailing list (http://www.mozdev.org/pipermail/greasemonkey/2005-July/004022.html): "This particular exploit is much, much worse than I thought. GM_xmlhttpRequest can successfully "GET" any world readable file on your local computer.

"And because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world," Pilgrim warned.

Greasemonkey enables developers to add DHTML to a web page, in order to change that page's behavior.

Users have been advised to either completely un-install the Greasemonkey extension or downgrade to Greasemonkey to 0.3.5 - a "neutered" version that lacks the APIs making Greasemonkey scripts more powerful than regular HTML.

A fix is in development and expected to take a few days, according to Greaseblog - the Greasemonkey blog (http://greaseblog.blogspot.com/2005/07/mandatory-greasemonkey-update.html)®

Related stories

Hackers attack Mozilla site to spread spam (http://www.theregister.co.uk/2005/07/15/firefox_spam_hack/)
Firefox update completes busy patching day (http://www.theregister.co.uk/2005/07/13/firefox_update/)
Firefox spoof bug returns from the dead (http://www.theregister.co.uk/2005/06/07/firefox_spoof_bug/)