Closed
Bug 729356
Opened 13 years ago
Closed 13 years ago
Malicious "Zuperface+" add-on
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Toolkit
Blocklist Policy Requests
Tracking
()
RESOLVED
FIXED
People
(Reporter: mhammell, Assigned: jorgev)
Details
(Whiteboard: [Read comment #6 before posting!])
Attachments
(1 file)
|
562.71 KB,
application/octet-stream
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11
Steps to reproduce:
Downloaded the extension from http://www.zuperface.com/firefox.html
Actual results:
addon loads loads adobeflashplayer.js
adobeflashplayer.js:
sets/reads state from local storage
sets up debugging options
if it's on a facebook domain, it injects http://speed.zuperface.com/zuperface.js
if it's on a google domain, it injects
http://speed.zuperface.com/g.js
zuperface.js:
Grabs your basic details via http://graph.facebook.com/<uid>&callback=cins
Injects http://speed.zuperface.com/offline.js if it's turned off, otherwise injects
http://speed.zuperface.com/zaza.js; both injects pass your UID to their server as GET params
Calls http://super.zuperface.com/reklam.html, which loads an image tag to http://whos.amung.us/widget/ksuw9d7f54el.png
zaja.js (several versions of this, based on the value of the 'cins' GET param):
cins=3
Injects a hidden iframe to http://speed.zuperface.com/letsgo.html? which includes your FB tokens for posting as GET params
Make a POST to http://www.facebook.com/ajax/follow/manage_subscriptions.php, to subscribe to FB user 1520948160
cins=1
Injects a hidden iframe of http://speed.zuperface.com/tokmak.php? which includes your FB open graph token, UID, sex, and an FB application ID as GET params
letsgo.html:
has the following FB app IDs: ['6802152230','176901472156','291549705119','5085647995'];
Creates an iframe for each app ID to http://173.244.196.29/~zuperfac/speed/sol.html? which includes your FB tokens for posting as GET params
sol.html:
Posts to http://www.facebook.com/connect/uiserver.php to give the passed in app ID full permissions to your Facebook account.
Password on the attached zip is 'infected'
Expected results:
It should not steal your Facebook user information/tokens; it should not give FB applications full access to your Facebook account without your consent.
|
Assignee | |
Comment 1•13 years ago
|
||
This looks like a very elaborate Facebook customization add-on. I tested for a while and didn't see any bad behavior, like pages or apps suddenly added to my account. Even if it did that, it's insufficient for blocklisting.
Any privacy concerns should be voiced to the developers of this add-on, so they can fix them.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
Jorge,
You won't see any visible bad behavior easily with this one, aside from a new person your Facebook account is subscribed to. The only other evidence you'll see in an account is four new FB apps installed. The problem, however, is that the four FB apps it installs are given full permissions to your account. That means they can post as you, from their own servers, whenever they want. As a result, we see significant amounts of spam coming from the bad actor's infrastructure, using the compromised accounts.
|
|
Assignee | |
Comment 3•13 years ago
|
||
The add-on itself is not malicious in nature, compromising users' security or causing major stability problems. This doesn't qualify for blocklisting.
Jorge,
The add-on downloads malicious JS to get full access to a person's facebook account. That means their email address, their name, their phone number, the ability to post messages as them, to remove content as them, ...
This one is more malicious than the other add-ons that were blocked in the past.
|
|
Assignee | |
Comment 5•13 years ago
|
||
I disagree. The other add-ons you have posted have the intent to deceive users and take advantage from them. They use shady temporary domains, change their code ever so slightly and distribute over and over.
This add-on looks like it has been worked on significantly, and it is actually meant to benefit users. It has the potential to access user information, but so can any add-on. Unless it is actively stealing info and you have evidence of this, I'll err on the side of caution and not blocklist an add-on that looks legitimate.
|
|
Assignee | |
Comment 6•13 years ago
|
||
We have been given additional information about Zuperface+. It is adding apps to the Facebook accounts of its users, with full access permissions, without their consent. These apps generate spam posts. They are being disabled by Facebook, but the add-on gets new app ids dynamically, indicating malicious intent.
To users of Zuperface+: while this add-on can be useful, it is using your accounts for spamming purposes. We can't allow this, so we have decided to block Zuperface+, at least until they correct their behavior.
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: INVALID → ---
Whiteboard: [Read comment #6 before posting!]
|
|
Assignee | |
Updated•13 years ago
|
Assignee: nobody → jorge
Status: REOPENED → ASSIGNED
|
|
Assignee | |
Comment 7•13 years ago
|
||
Softblock put in place: https://addons.mozilla.org/en-US/firefox/blocked/i69
Status: ASSIGNED → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → FIXED
|
||
Updated•9 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•