Last Comment Bug 730059 - Malicious "PublishSync" add-on
: Malicious "PublishSync" add-on
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
-- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
: Jorge Villalobos [:jorgev]
Depends on:
  Show dependency treegraph
Reported: 2012-02-23 12:04 PST by MarkH
Modified: 2016-03-07 15:30 PST (History)
4 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

publishsync.xpi (324.61 KB, text/plain)
2012-02-23 12:04 PST, MarkH
no flags Details

Description User image MarkH 2012-02-23 12:04:07 PST
Created attachment 600126 [details]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11

Steps to reproduce:

Add-on downloaded from

Actual results:

This one is written using Mozilla's JetPack APIs

The add-on injects the following JS files:

Injects some extra options into our privacy settings page, with specific support for Chinese language/locale

Attempts to authorize the FB app_id 279629492072378 with these permissions: publish_stream, offline_access, email, and manage_pages

Sends your UID, Name, Email, and Locale to

Has logic to check if Facebook returns "you just sent the same message" or "you are sending too fast" warnings when it's posting as you without your knowledge.


Handles stealing your FB cookies

Sends spam with a link to this YouTube video

Injects this ad over our existing Facebook ads: with this image

If your vanity name is 'ValenHsu', it also injects an ad with a link to and an iframe to load a like button for

Expected results:

It should not send you personal information to a third-party server without your consent.  It should not steal cookies and install a Facebook application to enable posting as you without your consent.
Comment 1 User image Jorge Villalobos [:jorgev] 2012-02-23 13:43:03 PST
Id: psid-vhvxQHMZBOzUZA@jetpack
Comment 2 User image Jorge Villalobos [:jorgev] 2012-02-23 13:45:25 PST

Note You need to log in before you can comment on or make changes to this bug.