Last Comment Bug 730059 - Malicious "PublishSync" add-on
: Malicious "PublishSync" add-on
Status: RESOLVED FIXED
:
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-02-23 12:04 PST by MarkH
Modified: 2016-03-07 15:30 PST (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
publishsync.xpi (324.61 KB, text/plain)
2012-02-23 12:04 PST, MarkH
no flags Details

Description MarkH 2012-02-23 12:04:07 PST
Created attachment 600126 [details]
publishsync.xpi

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11

Steps to reproduce:

Add-on downloaded from https://imorse.net/publish-sync/download/firefox/publishsync.xpi


Actual results:

This one is written using Mozilla's JetPack APIs

The add-on injects the following JS files:
client.facebook.js
facebook.js
site_facebook.js

client.facebook.js:
Injects some extra options into our privacy settings page, with specific support for Chinese language/locale

facebook.js:
Attempts to authorize the FB app_id 279629492072378 with these permissions: publish_stream, offline_access, email, and manage_pages

Sends your UID, Name, Email, and Locale to http://imorse.net/publish-sync/facebook/checkaccount

Has logic to check if Facebook returns "you just sent the same message" or "you are sending too fast" warnings when it's posting as you without your knowledge.

site_facebook.js:

Handles stealing your FB cookies

Sends spam with a link to this YouTube video
http://www.youtube.com/watch?v=-ONp6DQL6bM

Injects this ad over our existing Facebook ads:
http://www.lativ.com.tw/Detail/03394021 with this image
https://imorse.net/publish-sync/content/ads/images/2011-09-03_1717.jpg

If your vanity name is 'ValenHsu', it also injects an ad with a link to http://www.facebook.com/FamilyMart?sk=app_167110672433 and an iframe to load a like button for http://www.fever38.com/promotion?promoid=21033



Expected results:

It should not send you personal information to a third-party server without your consent.  It should not steal cookies and install a Facebook application to enable posting as you without your consent.
Comment 1 Jorge Villalobos [:jorgev] 2012-02-23 13:43:03 PST
Id: psid-vhvxQHMZBOzUZA@jetpack
Comment 2 Jorge Villalobos [:jorgev] 2012-02-23 13:45:25 PST
https://addons.mozilla.org/en-US/firefox/blocked/i70

Note You need to log in before you can comment on or make changes to this bug.