Created attachment 608349 [details]
20120321_facemii.zip (password is 'infected')
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.79 Safari/535.11
Steps to reproduce:
Downloaded / installed an add-on from http://facemil[.]com/install.xpi
This one loads all of its Facebook functionality from https://facemil/[.]com/load.js?<random_float_number>.
injects a script tag into <body> of the FB DOM
grabs your FB cookies/tokens
extracts your friends list
Posts status update with one of the following msgs:
"Facebook Now Has A Dislike button!\nEnable The Dislike Button Here\n",
"Switch Your facebook profile to 1 of 5 Different Colors And Themes. Choose yours Here: ",
"Switch To Pink Facebook (Limited Time!)\nClick here\n"
... with the URL, http://bit/[.]ly/GEC1us.
It also sends a chat message to "<Friend_Name> you can now change the color of Facebook! Look at the link on my wall."
Injects an <iframe>, for 10 seconds, that loads https://facemil/[.]com/wiggleWiggle.php
Does campaign tracking via a hidden <img> tag loading http://whos.amung.us/swidget/lalalaplugin[.]gif
Injects https://facemil/[.]com/dislike.js, which harvests cookies as well and injects a 'dislike' function. That functionality sends your UID and the UIDs of those whose comments you 'dislike' to https://facemil.com/postOn.php?post
It should not steal your Facebook cookies, post to Facebook as you without your consent, or send your and your friends' Facebook user IDs to a third-party server.