As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact
Last Comment Bug 717165 - Malicious "Youtube player" Add-On
: Malicious "Youtube player" Add-On
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
: Jorge Villalobos [:jorgev]
Depends on:
  Show dependency treegraph
Reported: 2012-01-10 23:19 PST by MarkH
Modified: 2016-03-07 15:30 PST (History)
4 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Attachments (10.86 KB, application/octet-stream)
2012-01-10 23:19 PST, MarkH
no flags Details

Description User image MarkH 2012-01-10 23:19:39 PST
Created attachment 587610 [details]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Steps to reproduce:

Downloaded and installed the "Youtube player" add-on from a malicious site, http://bbpeonf14.blogspot[.]com/.

The malicious add-ons is currently hosted at http://anyhub[.]net/file/7av-youtube_player.xpi

Actual results:

Once installed, this add-on injects a series of <script> tags and hidden <iframes> into the DOM.  Those script tags and iframes continually reload a series of banner ads, to generate revenue for the add-on authors.

It provides no service to the user/victim, does not do what it claims (play Youtube videos), and brings browser performance to a crawl.

Expected results:

It shouldn't have done anything it actually did.
Comment 1 User image Jorge Villalobos [:jorgev] 2012-01-18 14:36:34 PST
Blocked at
Comment 2 User image Justin Scott [:fligtar] 2012-01-19 21:14:47 PST
Please file these bugs in Blocklisting component in the future.

Note You need to log in before you can comment on or make changes to this bug.