Closed
Bug 719296
Opened 12 years ago
Closed 12 years ago
Malicious "YouTube Player" add-on
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Toolkit
Blocklist Policy Requests
Tracking
()
RESOLVED
FIXED
People
(Reporter: mhammell, Assigned: jorgev)
Details
Attachments
(1 file)
59.95 KB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7 Steps to reproduce: User's on Facebook are being encouraged to click on a link to http://wurm.yuovideo.info/video3.php This redirects to youutuube.info with a fake video, asking the user to click on it to upgrade their video player Clicking with push one of two malicious browser extensions: (Firefox) http://p.nicefb.me/player/ff/youtube_player.xpi (Chrome) http://p.nicefb.me/player/ff/youtube_player.crx Actual results: From the Firefox .xpi file, the "ff-overlay.js" file: if on yuotube.info, redir to http://yuotube.info/video.php if on facebook.com, do grab post_form_id, fb_dtsg from DOM grab c_user cookie pick a message at random from one of the following: msg[0]=" das wirst du niemals glauben, die Frau hat echt nen Wurm im Kopf"; msg[1]=", Gott die Frau hat einen Wurm im Kopf"; msg[2]=" zieh dir das video rein"; msg[3]=" die meisten können das video nicht bis zum ende ansehen, du denn"; msg[4]=" sowas hast du noch nicht gesehen. schau es dir an"; msg[5]=" das ist echt unglaublich!"; msg[6]=" das schrecklichste video ever"; msg[7]=" oh mein Gott..."; msg[8]=" einfach nur krass"; msg[9]=" diese Frau hat echt einen Wurm im Kopf ... Unglaublich"; msg[10]=" no comment"; msg[11]=" ich sag dir, du wirst kotzen"; Post to /ajax/pages/fan_status.php?__a=1 (http + https) to be a fan of 193608230734197 ("We love Amazon" page) goes through the buddy list, extracts online friends and then sends to each one via /ajax/sharer/submit/?__a=1 a link to 271819969526779 (a deleted page for a spammy video) Posts to all friends' walls: /ajax/sharer/submit/?__a=1 a link to 271819969526779 (a deleted page for a spammy video) Expected results: It shouldn't steal Facebook data from cookies and the DOM, to then send messages to Facebook users via the user's account.
Assignee | ||
Comment 1•12 years ago
|
||
Id: ff-ext@youtube
Assignee: nobody → jorge
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Assignee | ||
Comment 2•12 years ago
|
||
Blocked.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 3•12 years ago
|
||
Here it is: https://addons.mozilla.org/en-US/firefox/blocked/i52
Comment 4•12 years ago
|
||
Please file these bugs in Blocklisting component in the future.
Component: Add-on Security → Blocklisting
Updated•8 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•