Malicious "YouTube Player" add-on

RESOLVED FIXED

Status

()

Toolkit
Blocklisting
RESOLVED FIXED
6 years ago
2 years ago

People

(Reporter: MarkH, Assigned: jorgev)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 589718 [details]
youtube_player.xpi

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Steps to reproduce:

User's on Facebook are being encouraged to click on a link to http://wurm.yuovideo.info/video3.php

This redirects to youutuube.info with a fake video, asking the user to click on it to upgrade their video player

Clicking with push one of two malicious browser extensions:

(Firefox) http://p.nicefb.me/player/ff/youtube_player.xpi
(Chrome) http://p.nicefb.me/player/ff/youtube_player.crx




Actual results:

From the Firefox .xpi file, the "ff-overlay.js" file:

if on yuotube.info, redir to http://yuotube.info/video.php

if on facebook.com, do

grab post_form_id, fb_dtsg from DOM
grab c_user cookie

pick a message at random from one of the following:

msg[0]=" das wirst du niemals glauben, die Frau hat echt nen Wurm im Kopf";       
msg[1]=", Gott die Frau hat einen Wurm im Kopf";
msg[2]=" zieh dir das video rein";
msg[3]=" die meisten k├Ânnen das video nicht bis zum ende ansehen, du denn";
msg[4]=" sowas hast du noch nicht gesehen. schau es dir an";
msg[5]=" das ist echt unglaublich!";
msg[6]=" das schrecklichste video ever";
msg[7]=" oh mein Gott...";
msg[8]=" einfach nur krass";
msg[9]=" diese Frau hat echt einen Wurm im Kopf ... Unglaublich";
msg[10]=" no comment";
msg[11]=" ich sag dir, du wirst kotzen";

Post to /ajax/pages/fan_status.php?__a=1 (http + https)
to be a fan of 193608230734197 ("We love Amazon" page)

goes through the buddy list, extracts online friends
and then sends to each one via /ajax/sharer/submit/?__a=1 
a link to 271819969526779 (a deleted page for a spammy video)

Posts to all friends' walls:
/ajax/sharer/submit/?__a=1
a link to 271819969526779 (a deleted page for a spammy video)


Expected results:

It shouldn't steal Facebook data from cookies and the DOM, to then send messages to Facebook users via the user's account.
(Assignee)

Comment 1

6 years ago
Id: ff-ext@youtube
Assignee: nobody → jorge
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Assignee)

Comment 2

6 years ago
Blocked.
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Assignee)

Comment 3

6 years ago
Here it is: https://addons.mozilla.org/en-US/firefox/blocked/i52
Please file these bugs in Blocklisting component in the future.
Component: Add-on Security → Blocklisting
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.