Greasemonkey, a Lesson in Open Source Development

It has recently been reported that Greasemonkey, a popular addon for the Firefox web browser which allows users to modify the content of the sites they view, has a flaw that could open up users to attacks by malicious websites that they visit. The Greasemonkey developers quickly released a scaled down version of the addon while they fix the problem.

Mark Pilgrim discovered that a trio of bugs, when combined, could lead to the unwarranted access of local files. He announced his findings to the Greasemonkey mailing list and as Pilgrim says, “the GM developers, as well as everyone else on the list, immediately took the threat seriously and began discussing possible solutions.” He also created a detection script that uses Greasemonkey’s vulnerability to non-maliciously inform web visitors if they are running a vulnerable version. The script displays a warning which points them to the Greasemonkey home page to download the update, and to the mailing list message that explains how serious the vulnerability is.

Aaron Boodman, the creator of Greasemonkey, is hard at work fixing the bugs. As Jeremy Dunck, a Greasemonkey contributor, puts it, “he’s been unavailable because he’s snowed under trying to finish a working 0.4 release which fixes the vulnerabilities without sacrificing compatibility or performance.” “Aaron’s pretty much single-handedly been doing the code in this response.” But it’s not just about one person.

“I think the community fostered by an open source project is very important in terms of how responsive we can be. I’m trying to imagine Aaron hacking away on this code by himself without any feedback or contact with the outside world other than ‘deploy’, and I just can’t see it working at all” says Dunck. “There’s been a lot of useful feedback on how to address this issue in the last 2 days. The community wouldn’t exist if it wasn’t open, and now we’re pulling together.”