Malicious "Zuperface+" add-on




6 years ago
2 years ago


(Reporter: MarkH, Assigned: jorgev)


Firefox Tracking Flags

(Not tracked)


(Whiteboard: [Read comment #6 before posting!])


(1 attachment)

562.71 KB, application/octet-stream


6 years ago
Created attachment 599404 [details]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11

Steps to reproduce:

Downloaded the extension from

Actual results:

addon loads loads adobeflashplayer.js


sets/reads state from local storage
sets up debugging options
if it's on a facebook domain, it injects
if it's on a google domain, it injects


Grabs your basic details via<uid>&callback=cins

Injects if it's turned off, otherwise injects; both injects pass your UID to their server as GET params

Calls, which loads an image tag to

zaja.js (several versions of this, based on the value of the 'cins' GET param):

Injects a hidden iframe to which includes your FB tokens for posting as GET params
Make a POST to, to subscribe to FB user 1520948160

Injects a hidden iframe of which includes your FB open graph token, UID, sex, and an FB application ID as GET params


has the following FB app IDs: ['6802152230','176901472156','291549705119','5085647995'];

Creates an iframe for each app ID to which includes your FB tokens for posting as GET params


Posts to to give the passed in app ID full permissions to your Facebook account.

Password on the attached zip is 'infected'

Expected results:

It should not steal your Facebook user information/tokens; it should not give FB applications full access to your Facebook account without your consent.

Comment 1

6 years ago
This looks like a very elaborate Facebook customization add-on. I tested for a while and didn't see any bad behavior, like pages or apps suddenly added to my account. Even if it did that, it's insufficient for blocklisting.

Any privacy concerns should be voiced to the developers of this add-on, so they can fix them.
Last Resolved: 6 years ago
Resolution: --- → INVALID

Comment 2

6 years ago

You won't see any visible bad behavior easily with this one, aside from a new person your Facebook account is subscribed to.  The only other evidence you'll see in an account is four new FB apps installed.  The problem, however, is that the four FB apps it installs are given full permissions to your account.  That means they can post as you, from their own servers, whenever they want.  As a result, we see significant amounts of spam coming from the bad actor's infrastructure, using the compromised accounts.

Comment 3

6 years ago
The add-on itself is not malicious in nature, compromising users' security or causing major stability problems. This doesn't qualify for blocklisting.

Comment 4

6 years ago

The add-on downloads malicious JS to get full access to a person's facebook account.  That means their email address, their name, their phone number, the ability to post messages as them, to remove content as them, ...

This one is more malicious than the other add-ons that were blocked in the past.

Comment 5

6 years ago
I disagree. The other add-ons you have posted have the intent to deceive users and take advantage from them. They use shady temporary domains, change their code ever so slightly and distribute over and over. 

This add-on looks like it has been worked on significantly, and it is actually meant to benefit users. It has the potential to access user information, but so can any add-on. Unless it is actively stealing info and you have evidence of this, I'll err on the side of caution and not blocklist an add-on that looks legitimate.

Comment 6

6 years ago
We have been given additional information about Zuperface+. It is adding apps to the Facebook accounts of its users, with full access permissions, without their consent. These apps generate spam posts. They are being disabled by Facebook, but the add-on gets new app ids dynamically, indicating malicious intent.

To users of Zuperface+: while this add-on can be useful, it is using your accounts for spamming purposes. We can't allow this, so we have decided to block Zuperface+, at least until they correct their behavior.
Ever confirmed: true
Resolution: INVALID → ---
Whiteboard: [Read comment #6 before posting!]


6 years ago
Assignee: nobody → jorge

Comment 7

6 years ago
Softblock put in place:
Last Resolved: 6 years ago6 years ago
Resolution: --- → FIXED
Product: → Toolkit
You need to log in before you can comment on or make changes to this bug.