769781 - Blocklist malicious 'timelineclose' add-on

Status: RESOLVED FIXED

(Toolkit :: Blocklist Policy Requests, defect)

Description

[Jorge Villalobos [:jorgev] (he/him)]

Attachment: Timeline close

(Filing on Mark's behalf, due to Bugzilla problems)

Download URLs:
Chrome: www.timelineclose.com/index2.php
FF: www.timelineclose.com/index1.php

Analysis of zamantuneli.kadir.xpi

Metadata claims that it's written by Facebook to turn off timeline.

Add-on loads adobeflashplayer.js from it's own code

Adobeflashplayer.js:
Injects timelineclose.com/user/profil.js

Profile.js:
Injects timelineclose.com/users/profil.php

Profil.php:
Hijacks a victim's Facebook session and subscribes them to 18 Facebook
accounts


It shouldn't claim to be a Facebook add-on and then hDownload URLs:
Chrome: www.timelineclose.com/index2.php
FF: www.timelineclose.com/index1.php

Analysis of zamantuneli.kadir.xpi

Metadata claims that it's written by Facebook to turn off timeline.

Add-on loads adobeflashplayer.js from it's own code

Adobeflashplayer.js:
Injects timelineclose.com/user/profil.js

Profile.js:
Injects timelineclose.com/users/profil.php

Profil.php:
Hijacks a victim's Facebook session and subscribes them to 18 Facebook
accounts


It shouldn't claim to be a Facebook add-on and then hijack your session to
subscribe you to multiple accounts of people you don't know.

Attached file has the add-on and remote JS.  Password is 'malwares4mple'.
ijack your session to
subscribe you to multiple accounts of people you don't know.

Attached file has the add-on and remote JS.  Password is 'malwares4mple'.

Comment 1

[Jorge Villalobos [:jorgev] (he/him)]

Id: {392e123b-b691-4a5e-b52f-c4c1027e749c}

Comment 2

[Jorge Villalobos [:jorgev] (he/him)]

Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i109