Created attachment 591974 [details]
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.77 Safari/535.7
Steps to reproduce:
Downloaded the "applebees.xpi" from http://appbbb/[.]info/applebees/applebees.xpi
After install, the add-on grabbed some JS from from a remote server and began stealing a Facebook user's cookies to then send likes without the user's knowledge.
The add-on should not steal the cookies from the user's settings to send messages, without their knowledge, on Facebook.com.
The attached file has both the add-on and the remotely loaded JS. The password is 'infected'.