Closed Bug 1364352 Opened 8 years ago Closed 8 years ago

Firefox tries to download malware when Zenmate plugin is installed

Categories

(Toolkit :: Blocklist Policy Requests, defect)

defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: brad.inggs, Assigned: TheOne)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0 Build ID: 20170504105526 Steps to reproduce: Install Zenmate VPN plugin. Go to any website that has flash enabled. For example, even go to the actual adobe flashplayer website and the malware tries to download to your browser. Actual results: When on a website that has flash, the plugin tries to download a file from https://ciuvo.com/ciuvo/globalstorage?version=2.0.4 which monitors your shopping. It enables and tries to download whenever firefox browser goes to a flash enabled website. After removing the zenmate plugin, the issue disappears. Expected results: When visiting a website with flash, there should be no call to a remote server trying to download malware.
Brad, thank you for the report, can you please tell us the link you downloaded that add-on from?
Assignee: nobody → awagner
Component: Untriaged → Blocklisting
Product: Firefox → Toolkit
Version: 53 Branch → unspecified
Flags: needinfo?(brad.inggs)
Hi Andreas, thanks for the swift action. I have tested across 3 Windows Pro PC's. They were downloaded from the actual Zenmate.com site as well as the add-on section.
Flags: needinfo?(brad.inggs)
To test, you can open a free trial with an email and install the add-on then just visit https://www.adobe.com/products/flashplayer.html as a quick way to witness it. My Bitdefender grabs the phishing attempt immediately luckily.
Can you please provide the link to the exact page you downloaded the add-on from?
Flags: needinfo?(brad.inggs)
Alternatively, providing the add-on ID (you can see it if you go to about:support with the add-on installed) would also work.
sure, can get the ID, firefox@zenmate.com (version 5.10.2) Its in the mozzilla addons store and also accessible from zenmate.com Thanks Andreas
Flags: needinfo?(brad.inggs)
Thank you! I will have a look.
Thanks Andreas. I know Zenmate VPN is an extension/plugin but thought I'd raise it to Mozillas security for attention as they might try sneak something else through too with no notice as well. Spent two days trying to pin it down, thought it was Adobe, the browser, compromised ad networks, some infection somewhere then after all the scanning I started going through the extensions/plugins and eventually noticed it was Zenmate. I see when googling if someone tries to find out how to remove this spyware it seems to send you to some dodgy sites that probably add some more wonderful spyware/malware along the way. Also searching for the address specificly came up with some russian sites that hid it in iframes. Looking forward to hearing from you. Thanks Andreas.
Thanks Brad, we have reached out to the developer and expect to hear back soon.
An update has been submitted and approved that removes this feature, so we won't go forward with blocking.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.