Last Comment Bug 722823 - Malicious "Divx" add-on
: Malicious "Divx" add-on
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
-- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
: Jorge Villalobos [:jorgev]
Depends on:
  Show dependency treegraph
Reported: 2012-01-31 12:45 PST by MarkH
Modified: 2016-03-07 15:30 PST (History)
4 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

20120131 (33.01 KB, application/octet-stream)
2012-01-31 12:45 PST, MarkH
no flags Details

Description User image MarkH 2012-01-31 12:45:11 PST
Created attachment 593191 [details]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.77 Safari/535.7

Steps to reproduce:

Installed an add-on from

Actual results:

The update URL embedded in the Firefox version points to

The add-on injects youtube.js from the add-on into every page's DOM

That injects http://108.163.161/[.]66/~install/usa/script.js

... which injects http://choosingright/[.]info/extrapost.js

... which injects http://choosingright/[.]info/function.js

Function.js picks at random from an array of blog URLs

blogs[0] = '';
//blogs[0] = '';
//blogs[1] = '';
//blogs[2] = '';

It then grabs all of your friends via

It then posts a like of the URL chosen earlier with a comment of "REDICULOUS HAVE Y0U LOOKED AT THIS? @<friend_name> @<friend_name2>…", which will send a notification to each friend that they were mentioned in a comment and encourage them to click on the URL.

Expected results:

It should not steal your Facebook cookies and send likes to Facebook without your consent.
Comment 1 User image Jorge Villalobos [:jorgev] 2012-01-31 13:51:57 PST

Comment 2 User image Jorge Villalobos [:jorgev] 2012-01-31 13:55:00 PST

Note You need to log in before you can comment on or make changes to this bug.