Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Malicious "PublishSync" add-on

RESOLVED FIXED

Status

()

Toolkit
Blocklisting
RESOLVED FIXED
6 years ago
a year ago

People

(Reporter: MarkH, Assigned: jorgev)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

324.61 KB, text/plain
Details
(Reporter)

Description

6 years ago
Created attachment 600126 [details]
publishsync.xpi

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11

Steps to reproduce:

Add-on downloaded from https://imorse.net/publish-sync/download/firefox/publishsync.xpi


Actual results:

This one is written using Mozilla's JetPack APIs

The add-on injects the following JS files:
client.facebook.js
facebook.js
site_facebook.js

client.facebook.js:
Injects some extra options into our privacy settings page, with specific support for Chinese language/locale

facebook.js:
Attempts to authorize the FB app_id 279629492072378 with these permissions: publish_stream, offline_access, email, and manage_pages

Sends your UID, Name, Email, and Locale to http://imorse.net/publish-sync/facebook/checkaccount

Has logic to check if Facebook returns "you just sent the same message" or "you are sending too fast" warnings when it's posting as you without your knowledge.

site_facebook.js:

Handles stealing your FB cookies

Sends spam with a link to this YouTube video
http://www.youtube.com/watch?v=-ONp6DQL6bM

Injects this ad over our existing Facebook ads:
http://www.lativ.com.tw/Detail/03394021 with this image
https://imorse.net/publish-sync/content/ads/images/2011-09-03_1717.jpg

If your vanity name is 'ValenHsu', it also injects an ad with a link to http://www.facebook.com/FamilyMart?sk=app_167110672433 and an iframe to load a like button for http://www.fever38.com/promotion?promoid=21033



Expected results:

It should not send you personal information to a third-party server without your consent.  It should not steal cookies and install a Facebook application to enable posting as you without your consent.
(Assignee)

Comment 1

6 years ago
Id: psid-vhvxQHMZBOzUZA@jetpack
Assignee: nobody → jorge
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Assignee)

Comment 2

6 years ago
https://addons.mozilla.org/en-US/firefox/blocked/i70
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.