Malicious tactics used to trick users into installing extensions
Categories
(Toolkit :: Blocklist Policy Requests, task)
Tracking
()
People
(Reporter: jwkbugzilla, Assigned: TheOne)
Details
The Facebook user https://www.facebook.com/HalloQuiz/ uses Facebook ads to direct users to quiz pages like https://www.hallo-quiz.com/tests/in-welchem-land-sollte-ich-leben/3. This page will then redirect to a different site (depending on user agent, only in Firefox and Chrome), the redirects I've observed so far were:
https://www.trouplet.com/tests/in-welchem-land-sollte-ich-leben/3
https://www.fimepobala.com/tests/in-welchem-land-sollte-ich-leben/3
https://www.fiktar.com/tests/in-welchem-land-sollte-ich-leben/3
Note that the redirect destinations only display with the right Referer value, seem to depend on user agent as well sometimes.
These pages will pretend to be a quiz, yet upon answering the first question (male or female) they will ask you to install a browser extension which is supposedly required to continue. The extensions are:
https://www.trouplet.com/download/trouplet.xpi - extension@plgdehoverwikde, Wiki-Infos
https://www.fimepobala.com/download/fimepobala.xpi - app@plgdehotwittde, Soziale-Inhalt
https://www.fiktar.com/download/fiktar.xpi - plg@defdgajbisl, Bild vergrößern
That list is certainly not complete, Mozilla should be able to find more looking for the "@plgde" or "plg@de" extension ID pattern, and maybe also @plgfr and plg@fr (I think that the developers here are French). Just for reference, the Chrome equivalents are (supposedly all by different authors):
https://chrome.google.com/webstore/detail/wiki-infos/ngloglaiefconbhbfcopfnkldoplolmk
https://chrome.google.com/webstore/detail/soziale-inhalt/kepfjfgffpipdmkcjnffehhnhcolpjkm
https://chrome.google.com/webstore/detail/bild-vergr%C3%B6%C3%9Fern/lflobpekfegbindbkclkkdgcbgkfgdip
I'm not entirely certain what the point here is, as the extensions don't appear to be malicious at this point. With Chrome I'd assume that a malicious update will be published once the extensions collect enough users. But the Firefox extensions are missing an update URL and cannot be updated - maybe whoever is behind this scheme simply doesn't realize it.
|
Reporter | |
Comment 1•6 years ago
|
||
Another person reportedly didn't get redirected from https://www.hallo-quiz.com/tests/in-welchem-land-sollte-ich-leben/3 despite using Firefox, getting a legit opinion poll instead. So this behavior is probably triggered by a German IP address in addition to the user agent.
|
Assignee | |
Comment 2•6 years ago
|
||
Thank you, Wladimir, for filing this report. In the future, we kindly ask you to use our blocklist report form, which is the standard when creating a new bug on this component, or reachable using https://bugzilla.mozilla.org/form.blocklist
Clones:
{4580e89a-d987-4a54-acd5-103eb91374df}
{04767859-e649-473a-9ff8-1491f9217a2f}
add-on@fdvoyzaxvni
add-on@mxdshahek
add-on@plgargwikihoves
add-on@plgbrhovtwitpor
add-on@plgeshovwikies
add-on@plgfrhovinstafr
add-on@plgfrscroltwofr
add-on@plgnlscroltwonl
add-on@plgsngicosnsac
app@clzohispatolas
app@plgarghovtwitt
app@plgargtydownesp
app@plgautriczoomde
app@plgcohovtwites
app@plgdehotwittde
app@plgdeudownlde
app@plgeshovtwittes
app@plgindhovtwiten
app@plgitscroltwoit
app@plgnlhovtwittnl
app@plgphscroltwoen
app@plgsajjhamzooph
app@plgsingchewmve
appapp@plgindzoplshind
application@arzoplgirasta
application@blibluk
application@breplgdownporbr
application@es9hsgaedr
application@es10gfjqzma
application@gerluk
application@grasow
application@plgbehovtwittnl
application@plgbelgdownflam
application@plgbescroltwonl
application@plgbrhovwikibr
application@plgdescroltwode
application@plgfihovinstafi
application@plgindiendownen
application@plgindzoplshind
application@plgphhovtwiten
application@twexispolavieda
ext@es8dffdsghe
ext@plgagscroltwoes
ext@plgbehovtwittfr
ext@plgbelgizompnl
ext@plgbgzowomawfr
ext@plgesscroltwoes
ext@plgithovinstait
ext@plgsescroltwose
ext@plgukscroltwoen
ext@sgdlpictomagi
ext@uksfdahdhsc
extension@es5dssdsj
extension@itsfahqiaxb
extension@plgauthovtwitde
extension@plgbrscroltwopt
extension@plgdehoverwikde
extension@plgfrdownlnewfr
extension@plgfrhoverwikfr
extension@plgfrsearchfr
plg@defdgajbisl
plg@es6fdhfec
plg@es7fdsfddqa
plg@esfdhalmbwn
plg@frhadiadsk
plg@indplgomenawc
plg@plgbescroltwofr
plg@plgbrhovinstapt
plg@plgbrsearchpt
plg@plgesdownopenew
plg@plgitadownaudit
plg@plgithovertwitt
plg@plgnlhovwikinl
plg@plgnlscroltwonl
plg@plgnorvegzoom
plg@plgsuhovtwittde
plg@plgukhovwikien
plg@singplganowong
plugin@frmdehpzamdoas
plugin@pldinddowninen
plugin@plgdahovinstada
plugin@plgdesearchde
plugin@plghowtwifr
plugin@plgitsearchit
plugin@plgitwikihoveit
plugin@plgnohovtwitno
plugin@plgpaysbasdownl
plugin@plgukendowauden
plugin@plgukhovtwitten
plugin@ptgouloumette
plugin@sgpongextejmk
|
|
Assignee | |
Comment 3•6 years ago
|
||
I’ve reviewed the add-ons and confirmed they are executing remote code.
|
|
Assignee | |
Comment 4•6 years ago
|
||
The block has been staged. Stuart, can you review and push?
|
|
Assignee | |
Comment 5•6 years ago
|
||
Redirecting to Jorge.
|
||
Comment 6•6 years ago
|
||
Done.
|
|
Reporter | |
Comment 7•6 years ago
|
||
(In reply to Andreas Wagner [:TheOne] [use NI] from comment #3)
I’ve reviewed the add-ons and confirmed they are executing remote code.
Andreas, I'm certainly not complaining about these extensions being blocklisted. However, where did you find remote code execution in these extensions? The ones I have do have code execution vulnerabilities, but that's due to missing sanitization of Wikipedia/Twitter API responses. So code executes in the context of a website, not the extension, only when the user hovers a link, and extension developers don't really control this code - not exactly your typical backdoor, rather hard to trigger. Am I missing something?
|
|
Assignee | |
Comment 8•6 years ago
|
||
I'm sorry we do not share that information publicly to prevent copycats.
|
|
Reporter | |
Comment 9•6 years ago
|
||
(In reply to Andreas Wagner [:TheOne] [use NI] from comment #8)
I'm sorry we do not share that information publicly to prevent copycats.
Unfortunately, this means that the Chrome Web Store versions of these add-ons will stay online. I reported them a while ago but nothing happened. Maybe you could forward that info to Google at least?
|
|
Assignee | |
Comment 10•6 years ago
•
|
||
Reporting them was the appropriate action. It's up to Google to take action, if they decide their policies are violated.
Description
•