premshree: Greasemonkey and Phishing

Premshree Pillai (

premshree) wrote,
@ 2005-05-23 13:57:00

Current music:

Joe Satriani - I Believe

Greasemonkey and Phishing

Some days back, when I had posted about the Yahoo! Search link on Google, sriramb brought up an interesting issue:

GreaseMonkey throws up an interesting issue: What if there are GM scripts that phish for information, and a user unwittingly installs an extension that acts as a phishing script? Should browsers start supporting a CRC/MD5 check logo (like the ssl lock icon) to certify that the client and server-side copies of a page are the same and unaltered? Just curious....

One solution, of course, is to read the source and try to figure out if the script is doing something Evil. But then that’s not a solution, is it? I posted his comment to the Greasemonkey mailing list. One solution was userscript.org (not live yet)—which would be like a repository of reviewed scripts; also, scripts will be rated (apropos security), and monitored for changes.

UserJS.org, a repository of User JavaScripts for Opera, went live sometime back. I don’t think it has per-script security ratings and stuff; it’s only a repository. I hope userscript.org goes live soon.

Also of interest (via Sriram): Know your Enemy: Phishing.

(Post a new comment)

sriramb
2005-05-23 10:36 am UTC (link)

I'm doing some r&d on this. i'm trying a simple approach:
1.Make a HttpRequest call and calculate the size of the responseText property (or maybe use the responseXML property and size/hash the DOM).
2. Store the result in varDocSizeOnServer
3. Get the size of the client side document (use something like htmlBody = document.getElementsByTagName('body').item(0).getAttribute('innerHTML'); and compute the size)
4. Store the result in varDocSizeOnClient
5. Compare varDocSizeOnClient and varDocSizeOnServer
6. Display an icon on the status bar

don't know if this will work. Might be worthwhile using Sarissa to code this for cross-browser support.

(Reply to this)(Thread)

	premshree 2005-05-24 04:59 am UTC (link)
	Hashing the DOM content would be a better thing to do. Btw, is there a way to get the modified DOM—the DOM after userscripts are executed—of a page? (Reply to this)(Parent)(Thread)

	sriramb 2005-05-24 05:53 am UTC (link)
	Btw, is there a way to get the modified DOM—the DOM after userscripts are executed—of a page? The .getAttribute('innerHTML') call should return an instance of the modified DOM. (Reply to this)(Parent)(Thread)

	premshree 2005-05-25 04:31 am UTC (link)
	Oh boy, I’m looking forward to this. Maybe I’ll play around too when I have the time. (Reply to this)(Parent)

premshree
2005-05-26 05:28 am UTC (link)

I messed around with some code... only thing is I need to serialize (or something) the document, and do some DOMParser stuff to get rid of the <script>s that GM injects. I assume there’d be an easy way around.

Btw, I was wondering—even if we do this, what purpose would it serve? It’d only be able to tell if a page has been modified using some userscript—we won’t be able to tell if a page’s been phished or something.

Moreover, if a userscript attempts some URL redirection, our script wouldn’t run at that page instance, would it?

To make this useful, we’ll probably have to do some kinda diff, and then figure out specific Evil cases: URL redirection, form action change, etc.

(Reply to this)(Parent)(Thread)

sriramb
2005-05-26 05:49 am UTC (link)

1. Make sure the page is unaltered. If it is, display a warning or something in the status bar
2. examine URLs/JS calls that originate/connect to hosts other than the originating web server/domain (this rule can be tweaked)
3. There are JS scripts that can parse a page and flag potential phishing links.

I guess the aim would be to develop a GreaseMonkey module that would assign a safety rating to a script. This will require more thought, but the idea is to help the user decide if a rendered page is safe.

(Reply to this)(Parent)(Thread)

	premshree 2005-05-26 05:58 am UTC (link)
	Makes sense. I guess the problem’s not actually the implementation. A good design’s going to be critical. Actually, I’d imagine that it’d be better if this were done as part of GM itself. What’s your take? In the meanwhile I’ll see if I can come up with something. Also, looking forward to whatever your gonna cook. (Reply to this)(Parent)(Thread)

sriramb
2005-05-26 06:20 am UTC (link)

Actually, I’d imagine that it’d be better if this were done as part of GM itself.

That's the best option.

Also, looking forward to whatever your gonna cook.

I 've only been hacking together some scripts so far. I guess i'll start a more serious effort from now. Will keep you in the loop. We should also monitor the GM forums to see if someone has similar ideas.

(Reply to this)(Parent)(Thread)

	premshree 2005-05-26 06:26 am UTC (link)
	I don’t see any folks talking about such things in the list. Maybe, eventually, people’ll have to anyway. (Reply to this)(Parent)

	sriramb 2005-05-25 05:58 am UTC (link)
	BTW, this has the potential to mess things up as well. Well worth monitoring... (Reply to this)(Thread)

	premshree 2005-05-25 06:08 am UTC (link)
	Oh boy! (Reply to this)(Parent)

Mini Sitemap:

Username:		Create an Account Forgot your login? Login w/ OpenID
Password:
	Remember Me
	English • Español • Deutsch • Русский…