Created attachment 600126 [details]
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11
Steps to reproduce:
Add-on downloaded from https://imorse.net/publish-sync/download/firefox/publishsync.xpi
This one is written using Mozilla's JetPack APIs
The add-on injects the following JS files:
Injects some extra options into our privacy settings page, with specific support for Chinese language/locale
Attempts to authorize the FB app_id 279629492072378 with these permissions: publish_stream, offline_access, email, and manage_pages
Sends your UID, Name, Email, and Locale to http://imorse.net/publish-sync/facebook/checkaccount
Has logic to check if Facebook returns "you just sent the same message" or "you are sending too fast" warnings when it's posting as you without your knowledge.
Handles stealing your FB cookies
Sends spam with a link to this YouTube video
Injects this ad over our existing Facebook ads:
http://www.lativ.com.tw/Detail/03394021 with this image
If your vanity name is 'ValenHsu', it also injects an ad with a link to http://www.facebook.com/FamilyMart?sk=app_167110672433 and an iframe to load a like button for http://www.fever38.com/promotion?promoid=21033
It should not send you personal information to a third-party server without your consent. It should not steal cookies and install a Facebook application to enable posting as you without your consent.