Extension block request: {d0aa0ad2-15ed-4415-8ef5-723f303c2a67}

RESOLVED FIXED

Status

()

enhancement
RESOLVED FIXED
8 months ago
8 months ago

People

(Reporter: zitrobugs, Assigned: TheOne)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

8 months ago
Posted video video-a.mp4
Extension name: JS Switcher
Extension UUID: {d0aa0ad2-15ed-4415-8ef5-723f303c2a67}
Extension versions to block: 1.3.1
Applications, versions, and platforms affected: 
Block severity: (hard/soft)hard

Homepage, AMO listing, other references and contact info: 
h***://devprogext.cool/3/go/1462666/?csum=0QZqMlrJDSLintl2qcxRcD-d6oqlXyF5tEY2PdIt4Rdk0KM74f02GCFqKt1T-pTKz-4XB2o1aM_keq1yEYY9ow%2C%2C&_subid=3q8upjh1aj7qfl7gjmn5&_token=uuid_3q8upjh1aj7qfl7gjmn5_3q8upjh1aj7qfl7gjmn55b7c5d3d1d5d15.74402483
This is the adresss in my browser, you see in the video-a. But if you will click it, you will only see a harmless seeing site (i think it need spcial referer and/or cookies to see the same as in video) 

On the site mostly real mouse is hidden and it change to a fake mouse, and this fake mouse force to full-screen. You can leave fullscreen, but then the behavior starts all over again. (rightclick is also disabled on this site).
In video-b, I move the mouse slowly from the bottom up. You can see how the right mouse turns into the fake mouse and jumps. (My right mouse in this video is the bigger black mouse)

Reasons:installs extension in fullscreen-mode
Directlink to the extension above extension is: h***://devprogext.cool/ff//js_switcher-1.3.1-an+fx.xpi

Sometimes the same site also "offers" another extension also forced in fullscreen mode with:
Extension name: Reader FB2 
Extension UUID: {40a9d23b-09ef-4c82-ae1d-7fc5c067e987}
(Reporter)

Comment 1

8 months ago
Posted video video-b.mp4
Assignee: nobody → philipp
(Reporter)

Comment 2

8 months ago
The same behavior i described above is on this site http://fileextff.cool/3/go/O128DGOKAR-TM1QTN3UDME/?csum=KccbJEW2I1HYvpc6dKPmKlTf7p-eGlk6g-Oaj19UN817zCONbyC2dKFEcA0-Fpq1og1frD21ckIx808ewWhC_g%2C%2C&mtz=map&_subid=3q8upjh1aj82hgo37csv&_token=uuid_3q8upjh1aj82hgo37csv_3q8upjh1aj82hgo37csv5b7c7fd9eece01.25099992
it force to install "TimeRescue" Version 3.6.0 UUID: {4ca00873-7e8d-4ada-b460-96cad0eb8fa9}
or "Instant Draw" Version 2.3.6	UUID {d8157e0c-bf39-42eb-a0c3-051ff9724a8c}

Or shoud i better make for every found extension on such site behavior make a new bug report?
Flags: needinfo?(philipp)
(Reporter)

Comment 3

8 months ago
The same behavior i described above is on this site h***://fileextff.cool/3/go/O128DGOKAR-TM1QTN3UDME/?csum=KccbJEW2I1HYvpc6dKPmKlTf7p-eGlk6g-Oaj19UN817zCONbyC2dKFEcA0-Fpq1og1frD21ckIx808ewWhC_g%2C%2C&mtz=map&_subid=3q8upjh1aj82hgo37csv&_token=uuid_3q8upjh1aj82hgo37csv_3q8upjh1aj82hgo37csv5b7c7fd9eece01.25099992
it force to install "TimeRescue" Version 3.6.0 UUID: {4ca00873-7e8d-4ada-b460-96cad0eb8fa9}
or "Instant Draw" Version 2.3.6	UUID {d8157e0c-bf39-42eb-a0c3-051ff9724a8c}

Or shoud i better make for every found extension on such site behavior make a new bug report?
If it looks like the same kind of behavior or author, it is sufficient to mention further guids you find here. Thanks for providing these reports!
Flags: needinfo?(philipp)
Add-ons are running remote scripts from a cookie value, confirming.

GUIDs:

{d0aa0ad2-15ed-4415-8ef5-723f303c2a67}
{4ca00873-7e8d-4ada-b460-96cad0eb8fa9}
{d8157e0c-bf39-42eb-a0c3-051ff9724a8c}

There could possibly be more, but rg is taking too long. Andreas, can you run a search for the pattern I sent you via IRC to find more of these? Be prepared for false positives given the very generic string, and possibly limit your search to just xpis to save time. Otherwise, go ahead and stage the above GUIDs.
Flags: needinfo?(awagner)
(Reporter)

Comment 6

8 months ago
Same behavior on another site
Extension name: Cute Bookmarks Guru
Extension UUID: {205c2185-ebe4-4106-92ab-0ffa7c4efcbb}
Extension versions: 2.3.6
(Assignee)

Updated

8 months ago
Assignee: philipp → awagner
Flags: needinfo?(awagner)
(Assignee)

Comment 7

8 months ago
Clones found:

Timemetric@tmetric
image-fastpicker@eight04.blogspot.com
textMarkertool@underFlyingBirches.org
youpanel@jetpack
{0ff32ce0-dee9-4e7e-9260-65e58373e21d}
{6f13489d-b274-45b6-80fa-e9daa140e1a4}
{568db771-c718-4587-bcd0-e3728ee53550}
{5782a0f1-de26-42e5-a5b3-dae9ec05221b}
{9077390b-89a9-41ad-998f-ab973e37f26f}
{8e7269ac-a171-4d9f-9c0a-c504848fd52f}
{3e6586e2-7410-4f10-bba0-914abfc3a0b4}
{c1aee371-4401-4bab-937a-ceb15c2323c1}
{c579191c-6bb8-4795-adca-d1bf180b512d}
{e2a4966f-919d-4afc-a94f-5bd6e0606711}
{ee97f92d-1bfe-4e9d-816c-0dfcd63a6206}
(Assignee)

Comment 8

8 months ago
Clones/Variants:

Timemetric@tmetric
image-fastpicker@eight04.blogspot.com
textMarkertool@underFlyingBirches.org
youpanel@jetpack
{0ff32ce0-dee9-4e7e-9260-65e58373e21d}
{4ca00873-7e8d-4ada-b460-96cad0eb8fa9}
{6b427f73-2ee1-4256-b69d-7dc253ebe030}
{6f13489d-b274-45b6-80fa-e9daa140e1a4}
{40a9d23b-09ef-4c82-ae1d-7fc5c067e987}
{205c2185-ebe4-4106-92ab-0ffa7c4efcbb}
{256ec7b0-57b4-416d-91c1-2bfdf01b2438}
{568db771-c718-4587-bcd0-e3728ee53550}
{5782a0f1-de26-42e5-a5b3-dae9ec05221b}
{9077390b-89a9-41ad-998f-ab973e37f26f}
{8e7269ac-a171-4d9f-9c0a-c504848fd52f}
{3e6586e2-7410-4f10-bba0-914abfc3a0b4}
{b3f06312-93c7-4a4f-a78b-f5defc185d8f}
{c1aee371-4401-4bab-937a-ceb15c2323c1}
{c579191c-6bb8-4795-adca-d1bf180b512d}
{d0aa0ad2-15ed-4415-8ef5-723f303c2a67}
{d8157e0c-bf39-42eb-a0c3-051ff9724a8c}
{e2a4966f-919d-4afc-a94f-5bd6e0606711}
{ee97f92d-1bfe-4e9d-816c-0dfcd63a6206}
(Assignee)

Comment 9

8 months ago
The block has been staged. Jorge, can you please review and push?
Flags: needinfo?(jorge)
Done.
Status: NEW → RESOLVED
Last Resolved: 8 months ago
Flags: needinfo?(jorge)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.