Closed
Bug 716092
Opened 13 years ago
Closed 13 years ago
Malicious "ChatZum" Add-On
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Toolkit
Blocklist Policy Requests
Tracking
()
RESOLVED
WONTFIX
6.3.7
People
(Reporter: mhammell, Assigned: jorgev)
Details
Attachments
(3 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Steps to reproduce:
Installed the ChatZum browser add-on from www.chatzum.net.
Actual results:
After install, it injects JS into a user's FB profile and sends messages to their friends, without their knowledge. It also modifies the DOM to hide the messages sent out, stores its configuration in POST parameters sent to FB, changes the user's home page and default search provider.
Expected results:
It shouldn't be injecting JS and sending messages via FB without their knowledge and explicit consent.
Updated•13 years ago
|
Assignee: nobody → jorge
Assignee | ||
Comment 1•13 years ago
|
||
Id: {ADFA33FD-16F5-4355-8504-DF4D664CFE63}
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Assignee | ||
Comment 2•13 years ago
|
||
Added to blocklist.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → 6.3.7
The ChatZum app is not Maleware.
it enables FB users to hover zoom on pictures in FB,
we do not keep any user information and follow the privacy policy and terms agreement that is part of the installation.
the change of the Search page is per the installation process and user has the option to opt-out from it during the installation process.
Also in the add on itself we have an FAQ button that explains how to uninstall the Add on on from any of the browsers it was installed on.
please remove us from the block list,
we are getting many email from users who asks why is the app not functioning.
we believed that such removed a process would include us in the decision process, a simple email to support@chatzum.com would have been appropriate.
looking forward to continue the in direct email.
Chatzum Support.
Assignee | ||
Comment 4•13 years ago
|
||
What about this? Are you saying these claims are false?
(In reply to Mark Hammell from comment #0)
> After install, it injects JS into a user's FB profile and sends messages to
> their friends, without their knowledge. It also modifies the DOM to hide
> the messages sent out, stores its configuration in POST parameters sent to
> FB.
Jorge,
The add-on Injects a Javascript into the Page, but that is not hidden from the user,in order for the app to operate within the FB and allow users to Hover with the mouse and have images Zoom, we have to do that, that is like any grease monkey script.
as for sending a message, we post on the wall like any other app on FB, and we send one message to the active person u are talking to once, not hiding it or anything,
not spamming anything and with the permission of the user in the T&C.
last we do not send out user information, we dont collect any user information (name/email/age...) but only the public ID so we can have some statistics nothing more that that.
i suggest u install the app and test it yourself.
Assignee | ||
Comment 7•13 years ago
|
||
Reopening to investigate this case.
The add-on posts something in the user's wall about using Chatzum, but nothing out of the ordinary. I didn't see any hidden or secret messages being sent to other users as the original post claims, which was my main reason behind blocking.
On the other hand, the add-on does change the homepage, default search engine and new tab page.
I'm leaning towards removing the block. fligtar, andrew, mark, any thoughts on this?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 8•13 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #7)
> On the other hand, the add-on does change the homepage, default search
> engine and new tab page.
>
> I'm leaning towards removing the block. fligtar, andrew, mark, any thoughts
> on this?
Assuming the add-on only changes the things you mention then I don't think a ban is justified as if it was listed on AMO those things (probably) wouldn't stop a preliminary approval.
Jorge, Andrew,
The add-on does change the users search properties, but as part of the installation process users have the choice not to change those.
if u install the executable (windows only :| )you can see the process and where it gives the users the option to opt out from this, also there are terms of service displayed to the user and link to the privacy policy on the site.
http://www.chatzum.com/terms.html
http://www.chatzum.com/privacy.html
if there is anything we can provide please contact me directly on joe@chatzum.com or send an mail to support@chatzum.com
Joe.
Assignee | ||
Comment 10•13 years ago
|
||
We have decided that in its current state, the ChatZum add-on doesn't meet our blocklist criteria, and therefore it has been removed from it.
We can revisit this decision if new evidence is brought up or the add-on changes its behavior in a way that is deemed to be malicious.
Status: REOPENED → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 11•13 years ago
|
||
Reporter | ||
Comment 12•13 years ago
|
||
I recent was able to grab the latest JS that the add-on injects
http://d10noqxa27gsee.cloudfront[.]net/chatzum.js
injects a <script> tag to load https://d10noqxa27gsee.cloudfront[.]net/social.js
Social.js then steals a user's cookies and scrapes the Facebook DOM to send legit looking spammy messages. The JS includes the spam templates and spam URL construction logic.
I have attached the JS files to this ticket, which I downloaded from the cloudfront server approximately 10 minutes ago.
Comment 13•13 years ago
|
||
Mark, would you mind stop using the word steal, we do not send (or keep) any personal user data to our servers.
we use the Facebook ajax calls to be able to interact with the page to enable the normal use of the App. we post on the user wall same as any other app and send notification to someone friend to note the app been installed. that's it, that is legit and not spammy. please search Google for how and if anyone is saying the app is spammy but you.
this claims with no real reason behind, not reading terms of service not reading privacy policy and only claiming 'hey look at me i found something' behavior is not acceptable to us. we have Never received any mail from you regarding this, though there is an FAQ button on the app itself which explains how to remove the app and how to use it.
if you have claims, raise them in a proper manner and professional way.
looking forward to see the next flow chart you will create.
Chatzum Support.
Joe.
Comment 14•13 years ago
|
||
Please file these bugs in Blocklisting component in the future.
Component: Add-on Security → Blocklisting
Reporter | ||
Comment 15•13 years ago
|
||
This has returned, with Facebook spamming logic in Firefox.
The download is being served from https://d25pu8rpgqv7at.cloudfront.net/toolbar/cz/chatzum.exe
Native binary install, pushes toolbars for Chrome, FF, IE, and Safari.
FF XPI analysis:
Update URL: https://d10noqxa27gsee.cloudfront.net/toolbar/cz/update.xml
All JS, etc is packaged in a JAR.
One of the files in the JAR, loader.js, injects a <script> into the DOM head to load
http(s)://js.chatzum.com/chatzum.js?<random_number>
chatzum.js:
It goes through our DOM, injecting bits of code to "zoom" images when you hover on them. It also injects a label in our chat window, stating, "ChatZum is not a Facebook App"
the file also injects https://d10noqxa27gsee.cloudfront.net/social.js
social.js:
scrapes Facebook DOM and cookies for sending messages to Facebook, without the user's consent
Grabs its configuration from https://www.chatzum.com/is_allowed_to_send.php?src=<victims_fb_uid>&cb=social_fbactions.isAllowedCB
... which returns the spam template as a json array.
It then spams your friends via /ajax/messaging/send.php and /ajax/gigaboxx/endpoint/MessageComposerEndpoint.php
It also has JS to do wall posts (/ajax/updatestatus.php) and other calls.
Right now, it seems to spam each friend once via chat. It stores a cookie for each friend it has already spammed as "czvrl_uidd_<uid>" under the "www.facebook.com" context. But, it will only spam your friend if you initiate a chat with them (i.e. it prepends your first chat message to them with their spam).
It also removes the spam message they sent from the DOM in your chat windows, so you can't tell you're spamming your friends.
The best way to repro this is to:
- install the binary,
- start up FF,
- login to Facebook,
- send a message to a friend via chat,
- examine the chat messages received from the friend's account on another computer.
I also added a new attachement to the ticket, with all of the remote JS mentioned here.
A prior version of their product, ChatSend, still has its spam templates and code in this JS, just commented out.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Reporter | ||
Comment 16•13 years ago
|
||
Comment 17•13 years ago
|
||
Mark,
could you please explain the threat?
i understand that you do not like the chatzum software for some reason,
is it because its your job on facebook to try and remove any add-on that works with Facebook and enhances the user experience? if you are a threat analysis,
unlike the last time u claimed we steal user's info, please try to be specific about what is it that makes this service a threat to the user.
this is a browser extension, and not a facebook app, as you have said yourself,
the app specifically says that it is NOT a facebook app service.
it is legitimate for the app to send a ONE message to a friend and only when he open a chat window to that user, Facebook spams my inbox every time someone is tagging and had in the past spammed on everything that happened on your facebook.
users are not complaining about chatzum, if anything we get very good feedback and it actually to our best understanding makes the facebook experience better and even prolongs the time people spend on facebook.
there is clearly a button in the FAQ that explains how to uninstall the app if someone doesnt like it for some reason, and for any support email we response swiftly and with proper response.
we see that now u no longer claim that we steal user's private information, which we dont and that's a step in the right direction.
Again we understand you dont like toolbars, but browsers and firefox in specific, unlike Facebook is an open platform that enables users to make their decisions for themselves, and unless u explain what is the 'threat' to the user, i see no reason for you to be negative, if u want we can have an open and direct dialog to see if there are nuances that we can accept to change so facebook would feel better about the service, again no email from you or anyone on your team was accepted on our system to be able to response, we hope that you find this message in good spirit and do not target the chatzum service just because someone decided they dont like any addons to be integrated with a browser that uses Facebook site.
it came to be a longer message than planed, but i hope it clears things up.
Joe.
Assignee | ||
Comment 18•13 years ago
|
||
While we agree it's bad behavior, sending one hidden message promoting the add-on is not sufficient reason to blocklist.
Status: REOPENED → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → WONTFIX
Comment 19•13 years ago
|
||
Mark,
we took your comments into consideration, and we will add a screen that is displayed to the user that explains the fact that we send this message (although it appears in the T&C but to make it clearer we will have a window just for that), and explain how to opt out from it if someone want to.
again, feel free to contact us directly if you want to discuss this further and make sure FB is also feeling comfortable with the chatzum service, which is a browser add-on for zooming on thumbnails and not a facebook app nor has a facebook page or affiliated in any way with facebook.
this new screen will take added in the next release due Feb 28th.
we hope this help to ease your concerns and move forward,
we try to be positive and hope you as well,
Joe.
Comment 20•13 years ago
|
||
(In reply to support from comment #9)
> Jorge, Andrew,
>
> The add-on does change the users search properties, but as part of the
> installation process users have the choice not to change those.
> if u install the executable (windows only :| )you can see the process and
> where it gives the users the option to opt out from this, also there are
> terms of service displayed to the user and link to the privacy policy on the
> site.
>
> http://www.chatzum.com/terms.html
> http://www.chatzum.com/privacy.html
>
> if there is anything we can provide please contact me directly on
> joe@chatzum.com or send an mail to support@chatzum.com
>
> Joe.
This is all well and good Joe. The problem with your add on, however, comes when it is uninstalled. It is here when it is clear it is more than just an add on.
When the Chatzum add on is disabled in firefox, and removed from windows programs and features page, there is an expectation that all code is removed (firefox certainly indicates that it is not running any more).
But when you open a new tab, it still always defaults to the chatz search page, and creates a swathe of cookies from the site in the process. I've attempted to change this behaviour in settings (including blocking all cookies from you search site), but the page still loads regardless. Seeing as your addon is disabled at this point, this indicates that you have extra code running externally that bypasses firefoxes' intent (which is to give the user complete and solid control of wether an add on is running).
My point is, your uninstall procedure, does not actually completely uninstall from windows, and to remove the extra undesirable behaviour from firefox, is not a trivial matter.
When I want to uninstall a program, I expect (No, Make that DEMAND) that an uninstall program gives a FULL uninstall feature. Nothing less. You need to rejig your program so that it returns firefox to it's default state when opening a new tab (ie. it opens the homepage, not your search engine).
Until that day, your program is nothing but Malware.
Mike
Comment 21•13 years ago
|
||
Sorry, just extra piece of information for you all.
I've just downloaded an add on that sets the default page for the new tab to what ever you want. It still doesn't work. I keep getting "search.chatzum.com"
In the end I had get my hands dirty and edit the firefox settings file manually to get this behaviour to change.
That's great for me, but I feel sorry for any average user wanting to see to back end of your program. They'd be lost..... and more than a little frustrated.
Comment 22•13 years ago
|
||
mnkryder - we have been reported about this by few users - it appears that this only happens only with the latest FF released last week. we are looking to see if something changed in relation to how the homepage is set.
we believe that this is to do with a change related to "browser.newtab.url" done in latest version.
we will keep updatess.
BTW you can contact us also directly on support@chatzum.com
Joe.
Comment 23•13 years ago
|
||
Thanks for this information guys.
I suddenly found ChatZum on my computer and couldn't get it off.
Contacted ChatZum support and they were most helpful, corrected it in a couple of emails.
It had been bundled with another program I had downloaded and was left behind - not their fault.
Comment 24•13 years ago
|
||
mnkryder - Alan
we have identified the issue, and till we release an update we have updated our FAQ to include manual instruction of how to fix the issue for FF13.
for anyone reading this it can be found at http://www.chatzum.com/faq.html
thank you for your attention and report about that, our user's satisfaction is our up most important value.
Joe.
Comment 25•13 years ago
|
||
Uninstall ChatZum as detailed above
Open Firefox browser.
In the URL address bar type about:config
In the search box type homepage then hit enter button. You will get a warning, but go ahead.
You will see a list of items. Search for browser.startup.homepage
Double click this item.
Change to whatever you want the homepage/newtab to be.
Repeat the same steps for the value browser.newtab.url
Hope this helps.
Comment 26•13 years ago
|
||
(In reply to hardy_chick from comment #25)
> Uninstall ChatZum as detailed above
>
> Open Firefox browser.
>
> In the URL address bar type about:config
>
> In the search box type homepage then hit enter button. You will get a
> warning, but go ahead.
>
> You will see a list of items. Search for browser.startup.homepage
>
> Double click this item.
>
> Change to whatever you want the homepage/newtab to be.
>
> Repeat the same steps for the value browser.newtab.url
>
> Hope this helps.
Thanks hardy
this are the details as we provided them in the faq
*Attention FF13 user - homepage/newtab on uninstall is not removed
until we find a solution please follow these steps -
- first uninstall ChatZum using control panel or from the Add-on menu.
1. in the address bar type about:config
2. in the search box type homepage
3. you will see an item browser.startup.homepage
4. repet the same steps 2 and 3 for the value browser.newtab.url
4. double click this item
5. change to whatever you want the homepage/newtab to be
Comment 27•13 years ago
|
||
Thanks to all above: I'm very glad to have found a solution to this annoying problem!
Susan R
Comment 28•13 years ago
|
||
Thank you for the helpful steps to remove ChatZum.
Dear Mr ChatZum, unfortunately your product is why many users have lost faith in the internet. It does NOT as you say "enhances the user experience", it frustrates ALL users. I do plead with you to stop preying on IT illiterate people with your inappropriate "software"
Kind Regards.
Comment 29•12 years ago
|
||
The Chatzum toolbar stealthily installed itself with an update to KMPlayer, despite my unchecking all the options for installing additional software. I'm using Firefox 14.0.1. I've uninstalled the toolbar and carried out the above steps to reset my new tabs.
However, Chatzum is still present somewhere within the browser. My search toolbar should use Google but was still defaulting to Chatzum yesterday. Today the search toolbar returns a "301 moved permanently" with an address of Apache/2.2.3 (CentOS) Server at search.chatzum.com Port 80 and a redirect request (blocked by RequestPolicy) to http://searchsafer.com.
Also, when I opened my browser and clicked on a bookmark to access my banking website, a chatzum page briefly appeared. This is very disturbing. This toolbar is malware, it is making unauthorized changes to my browser, it installed itself without my knowledge and it has altered browser settings in a way that I cannot rectify. As far as I am concerned this is a browser hijack and the toolbar should be permanently blocked by Mozilla. Chatzum = Chatscum.
Comment 30•12 years ago
|
||
lunar,
you understand we cant control over a bundle install, thats the KMPlayer guys who should make sure that if you opt-out you are really opt-out, when they install the chatzum we have no control over the settings.
also to remove it from firefox
just type about:config in the address bar
in the search box type chatzum or safesearch and change it to Google or whatever you want it to be.
we are clearly giving step by step instructions for removing the software, and any email to support gets a response within couple hours.
in general the instructions are on
http://www.chatzum.com/faq.html
for firefox:
type about:config in the address bar
type chatzum in the search box that opens up on the second line
click on the items you want to change. (just double click on the search.chatzum.com and change it to google.com )
for chrome:
to remove it please follow the steps detailed onhttp://www.chatzum.com/faq.html
for chrome click on the wrench -> settings
first make sure you have removed the chatzum and new tab extensions - click extensions, stand on the extension name and click the trash bin icon.
then under options you will see the second paragraph "On Startup"
click on set pages to whatever you want.
to change the search engine under Settings you can see "Search"
click manage and set it to whatever you wish.
Support
Comment 31•12 years ago
|
||
Thanks for the reply Chatzum.
Your suggestions do not solve my problem. There is STILL a BUG after uninstalling this toolbar that is not resolved following the steps above.
Here is the bug - my search toolbar still defaults to chatzum even though chatzum returns no entries in an about:config search (except where I marked it as being untrusted by noscript). I can't see anything unusual when I type "search" in about:config and look at the entries there (here are a few examples:)
noscript.untrusted;chatzum.com http://chatzum.com https://chatzum.com
browser.search.defaultenginename;Google
browser.search.order.1;Google
browser.search.order.2;Yahoo
browser.search.order.3;Bing
The only solution I can find is to remove the search bar entirely and use the homepage to do my searches. Possibly a clean install of firefox would solve the problem, but even so there is an unresolved bug here! Is there a technical explanation for the issue with search? Anyone else have the same thing happen?
***
Specifically as a response to Chatzum, surely Chatzum have some sort of commercial arrangement to bundle this toolbar with kmplayer? If so, the manner in which Chatzum is bundled with kmplayer is something that Chatzum should exercise some control over, just as they would be expected to manage any other commercial relationship. I would suggest that someone in your organization has made a specific decision to bundle the software in a way that anyone who updates kmplayer gets chatzummed whether they want it or not. Maybe I'm too cynical, in which case can you confirm that kmplayer and Chatzum have no commercial relationship and that kmplayer/softonic derive no financial benefit from bundling the chatzum toolbar?
However it got there, this add-on hijacked my browser and altered important settings which could only be partially rectified using the about:config even after it was uninstalled. This is not normal. This is not acceptable. The add-on is either badly designed or has been specifically designed to make it difficult to get rid of. As for kmplayer, I certainly no longer trust them and will not be installing any future versions of their software.
Aggressively distributing the chatzum toolbar in an underhand manner, having it install itself without informed consent, hijacking my browser, and making it very hard to completely remove is a serious matter. Your toolbar is malware and you are wasting the time of everyone who has to mess about removing it. I do not see any apology from chatzum on this page, which suggests you live in a dreamworld where this kind of thing is perfectly acceptable.
Comment 32•12 years ago
|
||
This is definitely malware and should be blocked. I've spent several hours now trying to uninstall it. I think I've got rid of it from most places but it still persists as my default search engine when I type directly into the address bar. Chatzum, this is unacceptable and extremely frustrating!
Comment 33•12 years ago
|
||
lee - you can contact support@chatzum.com and we will be happy to help you out
the properties you need to change are about:config in address bar
then search for newtab and homepage change them to whatever you like.
you are three clicks away from removing chatzum.
Support.
Comment 34•12 years ago
|
||
Yes, I have tried all that and I think it is gone now. But why did it install itself in the first place. I DEFINITELY did NOT check the boxes which asked me if I wanted to install a toolbar/search engine. Even though I told it not to install these add-ons on my browser - it did.
Why should I be three click away from uninstalling malware when I told it NOT to install in the first place??
Comment 35•12 years ago
|
||
Chatzoom "searchsafe" keep to remain on my browser chrome and firefox.
I don't install this app and i pretend to delete and never see on my computer.
Somebody know what can i do?
I'm sorry for my ugly english!
Thanks
Comment 36•12 years ago
|
||
Same as me, i'm quoting all you wrote!
Any legal action for that?
(In reply to lunar-tuna from comment #29)
> The Chatzum toolbar stealthily installed itself with an update to KMPlayer,
> despite my unchecking all the options for installing additional software.
> I'm using Firefox 14.0.1. I've uninstalled the toolbar and carried out the
> above steps to reset my new tabs.
>
> However, Chatzum is still present somewhere within the browser. My search
> toolbar should use Google but was still defaulting to Chatzum yesterday.
> Today the search toolbar returns a "301 moved permanently" with an address
> of Apache/2.2.3 (CentOS) Server at search.chatzum.com Port 80 and a redirect
> request (blocked by RequestPolicy) to http://searchsafer.com.
>
> Also, when I opened my browser and clicked on a bookmark to access my
> banking website, a chatzum page briefly appeared. This is very disturbing.
> This toolbar is malware, it is making unauthorized changes to my browser, it
> installed itself without my knowledge and it has altered browser settings in
> a way that I cannot rectify. As far as I am concerned this is a browser
> hijack and the toolbar should be permanently blocked by Mozilla. Chatzum =
> Chatscum.
Comment 37•12 years ago
|
||
I've mailed to ads@chatzum.com, and i received correct instructions to remove the problem.
Thanks
Comment 38•12 years ago
|
||
It looks like Chatzum has overridden the home page, new tab page, search engine, and URL search engine.
I was using Google and am going back to it, by modifying the settings in about:config.
Home Page:
browser.startup.homepage = https://www.google.com
New tab:
browser.newtab.url = google.com
URL search (search engine used if you type in words in the URL):
keyword.url = http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
For the search engine (typing in the search box):
It was browser.search.selectedEngine = Search Safer
I changed it to
It was browser.search.selectedEngine = Google
It didn't seem to matter if I put gibberish there as long as it wasn't "Search Safer", since there seems to be a default search engine.
browser.search.defaultenginename = google
I had previously uninstalled the Chatzum toolbar, but it left all these entries around. The uninstall should at least do something to clean these up. Keep track of what was there before, perhaps. What's disconcerting to me, is if I have the string "Search Safer" in browser.search.selectedEngine, how does it know what page to go to? If I have uninstalled the toolbar, how does it know to map that name into a web page?
Comment 39•12 years ago
|
||
The last part, Chatzum had installed an XML file which mapped from the name "Search Safer" to the web page. This was buried in Documents and Settings (I have XP) under a directory called "searchplugins".
I would suggest removing this file (something like SearchSafer.xml). The uninstall should have done this already.
I searched my entire drive for the string "Search Safer" to find this file.
Comment 40•12 years ago
|
||
I agree that Chatzum is malware and should be blocked. The chatzum people argue that it is an enhancement to the browser, a positive thing! But then, why do you find so many questions in forums and blogs when you search for Firefox + chatzum + removal. It was installed on Firefox, IE, Google Chrome as well.
I have had much trouble removing it. First: uninstall, second: changing search engines, third: searching regedit for everything with chatzum and deleting that, fourth: deleting all files called chatzum..., but it still came back. It seems now that resetting everything with chatzum (about 25 entries) in Firefox in about:config has done the trick.
I do not have a facebook account, I have not installed kmplayer. So where did it come from? I suspect that chatzum was installed secretly bundled with Lizardtech's DjVu Browser plugin (although no evidence for this on the net!). My suspicion comes from the timestamp 2012-07-04 11:24 on chatzum_aff10_s.exe compared to DjVu being installed 2012-07-04 11:25. However, I do not want to verify this suspicion and risk getting chatzum back.
Updated•9 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•