Last Comment Bug 722526 - Malicious "Adobe Flash 11.3 Update" add-on
: Malicious "Adobe Flash 11.3 Update" add-on
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
-- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
: Jorge Villalobos [:jorgev]
Depends on:
  Show dependency treegraph
Reported: 2012-01-30 15:26 PST by MarkH
Modified: 2016-03-07 15:30 PST (History)
7 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

20120130 Adobe (7.63 KB, application/octet-stream)
2012-01-30 15:26 PST, MarkH
no flags Details

Description User image MarkH 2012-01-30 15:26:54 PST
Created attachment 592890 [details]
20120130 Adobe

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.77 Safari/535.7

Steps to reproduce:

Downloaded the "Adobe Flash 11.3 Update" add-on from

Actual results:

After install, it injects main.js from the addon, which injects

ffunctions.js injects a script tag to load

Track.php which injects script tags to load

The likepage.php steals your FB cookies and sends likes.  It was configured to like this one 340392035980023

Wallpost.php is configurable, based on the GET params you pass to it.  It will build a custom JS file with your spam message and URL.

Expected results:

It shouldn't steal cookies from the browser and send likes to Facebook without the user's knowledge.
Comment 1 User image Jorge Villalobos [:jorgev] 2012-01-30 15:33:28 PST
Comment 2 User image Jorge Villalobos [:jorgev] 2012-01-30 15:42:48 PST
The id is safe to block, as far as I can see.
Comment 3 User image Scoobidiver (away) 2012-02-21 11:13:17 PST
This add-on changes its ID to avoid the blocklisting:
Comment 4 User image Jorge Villalobos [:jorgev] 2012-02-21 13:56:14 PST
Please file a new bug when it has a different ID. It's easier for us to track.

Note You need to log in before you can comment on or make changes to this bug.