1049533 - Extension block request: FinFisher add-on

Status: RESOLVED FIXED

(Toolkit :: Blocklist Policy Requests, defect)

Description

[Tim Taubert [:ttaubert] (inactive)]

Extension name: Java_Plugin
Extension UUID: ec8030f7-c20a-464f-9b0e-13a3a9e97384
Extension versions to block: All
Applications, versions, and platforms affected: All?
Block severity: hard

Homepage, AMO listing, other references and contact info: 

Not listed on AMO.

Reasons:

FinFisher builds trojan horses that take over computers. I inspected the XPI of their extension that fakes a Java plugin. We should block it although it won't help much if they change it in the future. We might at least prevent some attacks with older versions.

Comment 1

[Tim Taubert [:ttaubert] (inactive)]

The same extension ID is used for a "Realplayer_Plugin" extension that fakes another plugin.

Comment 2

[Tim Taubert [:ttaubert] (inactive)]

Also used for another fake "Flash_Plugin" extension.

Comment 3

[Frederik Braun [:freddy]]

FWIW some install.rdf files list the UUID {92650c4d-4b8e-4d2a-b7eb-24ecf4f6b63a} for SeaMonkey.

Comment 4

[Jorge Villalobos [:jorgev] (he/him)]

ID: {ec8030f7-c20a-464f-9b0e-13a3a9e97384}

Comment 5

[Jorge Villalobos [:jorgev] (he/him)]

(In reply to Jorge Villalobos [:jorgev] from comment #4)
> ID: {ec8030f7-c20a-464f-9b0e-13a3a9e97384}

No, the add-on ID in the XPI is firefox-extension@mozilla.org

{ec8030f7-c20a-464f-9b0e-13a3a9e97384} is just the application ID.

Comment 6

[Jorge Villalobos [:jorgev] (he/him)]

Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i688

This unintentionally uncovered some probably malicious add-ons that use the ID {ec8030f7-c20a-464f-9b0e-13a3a9e97384}. Kris, please file a separate bug for it.

Comment 7

[Kris Maglione [:kmag]]

That ID has been blocked since 2012. https://addons.mozilla.org/blocked/i115