Created attachment 608349 [details] 20120321_facemii.zip (password is 'infected') User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.79 Safari/535.11 Steps to reproduce: Downloaded / installed an add-on from http://facemil[.]com/install.xpi Actual results: This one loads all of its Facebook functionality from https://facemil/[.]com/load.js?<random_float_number>. load.js: injects a script tag into <body> of the FB DOM grabs your FB cookies/tokens extracts your friends list Posts status update with one of the following msgs: possibleMessages = [ "Facebook Now Has A Dislike button!\nEnable The Dislike Button Here\n", "Switch Your facebook profile to 1 of 5 Different Colors And Themes. Choose yours Here: ", "Switch To Pink Facebook (Limited Time!)\nClick here\n" ] ... with the URL, http://bit/[.]ly/GEC1us. It also sends a chat message to "<Friend_Name> you can now change the color of Facebook! Look at the link on my wall." Injects an <iframe>, for 10 seconds, that loads https://facemil/[.]com/wiggleWiggle.php Does campaign tracking via a hidden <img> tag loading http://whos.amung.us/swidget/lalalaplugin[.]gif Injects https://facemil/[.]com/dislike.js, which harvests cookies as well and injects a 'dislike' function. That functionality sends your UID and the UIDs of those whose comments you 'dislike' to https://facemil.com/postOn.php?post Expected results: It should not steal your Facebook cookies, post to Facebook as you without your consent, or send your and your friends' Facebook user IDs to a third-party server.