Closed
Bug 730059
Opened 13 years ago
Closed 13 years ago
Malicious "PublishSync" add-on
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Toolkit
Blocklist Policy Requests
Tracking
()
RESOLVED
FIXED
People
(Reporter: mhammell, Assigned: jorgev)
Details
Attachments
(1 file)
324.61 KB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11 Steps to reproduce: Add-on downloaded from https://imorse.net/publish-sync/download/firefox/publishsync.xpi Actual results: This one is written using Mozilla's JetPack APIs The add-on injects the following JS files: client.facebook.js facebook.js site_facebook.js client.facebook.js: Injects some extra options into our privacy settings page, with specific support for Chinese language/locale facebook.js: Attempts to authorize the FB app_id 279629492072378 with these permissions: publish_stream, offline_access, email, and manage_pages Sends your UID, Name, Email, and Locale to http://imorse.net/publish-sync/facebook/checkaccount Has logic to check if Facebook returns "you just sent the same message" or "you are sending too fast" warnings when it's posting as you without your knowledge. site_facebook.js: Handles stealing your FB cookies Sends spam with a link to this YouTube video http://www.youtube.com/watch?v=-ONp6DQL6bM Injects this ad over our existing Facebook ads: http://www.lativ.com.tw/Detail/03394021 with this image https://imorse.net/publish-sync/content/ads/images/2011-09-03_1717.jpg If your vanity name is 'ValenHsu', it also injects an ad with a link to http://www.facebook.com/FamilyMart?sk=app_167110672433 and an iframe to load a like button for http://www.fever38.com/promotion?promoid=21033 Expected results: It should not send you personal information to a third-party server without your consent. It should not steal cookies and install a Facebook application to enable posting as you without your consent.
Assignee | ||
Comment 1•13 years ago
|
||
Id: psid-vhvxQHMZBOzUZA@jetpack
Assignee: nobody → jorge
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Assignee | ||
Comment 2•13 years ago
|
||
https://addons.mozilla.org/en-US/firefox/blocked/i70
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•