Last Comment Bug 738282 - Malicious "Fblixx" add-on
: Malicious "Fblixx" add-on
Status: RESOLVED FIXED
:
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-22 09:03 PDT by MarkH
Modified: 2016-03-07 15:30 PST (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
20120321_facemii.zip (password is 'infected') (1.67 MB, application/octet-stream)
2012-03-22 09:03 PDT, MarkH
no flags Details

Description MarkH 2012-03-22 09:03:02 PDT
Created attachment 608349 [details]
20120321_facemii.zip (password is 'infected')

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.79 Safari/535.11

Steps to reproduce:

Downloaded / installed an add-on from http://facemil[.]com/install.xpi


Actual results:

This one loads all of its Facebook functionality from https://facemil/[.]com/load.js?<random_float_number>.

load.js:

injects a script tag into <body> of the FB DOM

grabs your FB cookies/tokens

extracts your friends list

Posts status update with one of the following msgs:

possibleMessages =
[
"Facebook Now Has A Dislike button!\nEnable The Dislike Button Here\n",
"Switch Your facebook profile to 1 of 5 Different Colors And Themes. Choose yours Here: ",
"Switch To Pink Facebook (Limited Time!)\nClick here\n"
]

... with the URL, http://bit/[.]ly/GEC1us.

It also sends a chat message to "<Friend_Name> you can now change the color of Facebook! Look at the link on my wall."

Injects an <iframe>, for 10 seconds, that loads https://facemil/[.]com/wiggleWiggle.php

Does campaign tracking via a hidden <img> tag loading http://whos.amung.us/swidget/lalalaplugin[.]gif

Injects https://facemil/[.]com/dislike.js, which harvests cookies as well and injects a 'dislike' function. That functionality sends your UID and the UIDs of those whose comments you 'dislike' to https://facemil.com/postOn.php?post



Expected results:

It should not steal your Facebook cookies, post to Facebook as you without your consent, or send your and your friends' Facebook user IDs to a third-party server.
Comment 1 Jorge Villalobos [:jorgev] 2012-03-22 10:36:23 PDT
ID: crossriderapp3924@crossrider.com
Comment 2 Jorge Villalobos [:jorgev] 2012-03-22 10:39:23 PDT
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i76

Note You need to log in before you can comment on or make changes to this bug.