Created attachment 592070 [details]
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.77 Safari/535.7
Steps to reproduce:
Add-on name "Plugin Video"
Add-on homepage http://123buzzbuzz.free.fr
Addon contains youtube.js, which injects <script> to load http://123buzzbuzz.free.fr/g.js
g.js injects <script> to load http://123buzzbuzz.free.fr/yeah.js
yeah.js does the following
steals the user's Facebook cookies / tokens
grabs their friends list
likes one of the following Facebook pages with ids "170270043065994","125634380874892","146184075465813","152559774839890","274266539251303","290925474288531","316272665054709"
spams one from a set of text / bit.ly URL combos onto the user's wall
all of the bit.ly URLs redirect to wholesale44.free.fr domain
it then posts one of the same msg / URL pairs to the Facebook open graph
It should not steal cookies from the user's Facebook session and send messages to the user's friends without their consent.
*** Bug 721641 has been marked as a duplicate of this bug. ***
*** Bug 728487 has been marked as a duplicate of this bug. ***