780918 - Malicious "emotimania" add-on

Status: VERIFIED FIXED

(Toolkit :: Blocklist Policy Requests, defect)

Description

[MarkH]

Attachment: 20120807_emotimania_firefox.zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.57 Safari/537.1

Steps to reproduce:

Downloaded add-on from www.emotimania/plugin/memes/plugin_meme2.xpi


Actual results:

Loads memeplugin.js from the addon container

memeplugin.js:
defines a bunch of JS to do DOM/CSS manipulation
injects http://www.emotimania.com/memes/plugin/memeplugin.js

memeplugin.js (remote copy):
packed JS
inserts a whos.amung.us tag
inserts a Google Analytics tag (acct: UA-17000707-8)
injects 
http://www.emotimania.com/plugin/4dTgkd.js
http://www.emotimania.com/plugin/h4dfaK.js

4dTgkd.js:
Swaps out ads that are hosted via iframe with ads hosted on
http://www.mimejoorfrase.com/ad.php

h4dfaK.js:
Injects an ad iframe pointing to http://ad.foxnetworks.com/st?ad_type=iframe&ad_size=728x90&section=3129889&pub_url=mimejoorfrase.com
It looks for a specific set of sites to inject on (incl. Facebook), most in the list are Spanish language sites.


Expected results:

It should not inject ads or replace ads on the sites a user visits, without their knowledge.

Comment 1

[Jorge Villalobos [:jorgev] (he/him)]

The id had already been blocked (https://addons.mozilla.org/en-US/firefox/blocked/i115), but the wrong block level was set, so that's probably the reason it wasn't working correctly.

Fixed now.

Comment 2

[Iulian Timis]

Verified as fixed in https://addons.mozilla.org/ on FF21 (Win 7).
The add-on has been blocked.
Closing bug.