738282 - Malicious "Fblixx" add-on

Status: RESOLVED FIXED

(Toolkit :: Blocklist Policy Requests, defect)

Description

[MarkH]

Attachment: 20120321_facemii.zip (password is 'infected')

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.79 Safari/535.11

Steps to reproduce:

Downloaded / installed an add-on from http://facemil[.]com/install.xpi


Actual results:

This one loads all of its Facebook functionality from https://facemil/[.]com/load.js?<random_float_number>.

load.js:

injects a script tag into <body> of the FB DOM

grabs your FB cookies/tokens

extracts your friends list

Posts status update with one of the following msgs:

possibleMessages =
[
"Facebook Now Has A Dislike button!\nEnable The Dislike Button Here\n",
"Switch Your facebook profile to 1 of 5 Different Colors And Themes. Choose yours Here: ",
"Switch To Pink Facebook (Limited Time!)\nClick here\n"
]

... with the URL, http://bit/[.]ly/GEC1us.

It also sends a chat message to "<Friend_Name> you can now change the color of Facebook! Look at the link on my wall."

Injects an <iframe>, for 10 seconds, that loads https://facemil/[.]com/wiggleWiggle.php

Does campaign tracking via a hidden <img> tag loading http://whos.amung.us/swidget/lalalaplugin[.]gif

Injects https://facemil/[.]com/dislike.js, which harvests cookies as well and injects a 'dislike' function. That functionality sends your UID and the UIDs of those whose comments you 'dislike' to https://facemil.com/postOn.php?post



Expected results:

It should not steal your Facebook cookies, post to Facebook as you without your consent, or send your and your friends' Facebook user IDs to a third-party server.

Comment 1

[Jorge Villalobos [:jorgev] (he/him)]

ID: crossriderapp3924@crossrider.com

Comment 2

[Jorge Villalobos [:jorgev] (he/him)]

Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i76