Last Comment Bug 738282 - Malicious "Fblixx" add-on
: Malicious "Fblixx" add-on
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
-- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
: Jorge Villalobos [:jorgev]
Depends on:
  Show dependency treegraph
Reported: 2012-03-22 09:03 PDT by MarkH
Modified: 2016-03-07 15:30 PST (History)
4 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Attachments (password is 'infected') (1.67 MB, application/octet-stream)
2012-03-22 09:03 PDT, MarkH
no flags Details

Description User image MarkH 2012-03-22 09:03:02 PDT
Created attachment 608349 [details] (password is 'infected')

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.79 Safari/535.11

Steps to reproduce:

Downloaded / installed an add-on from http://facemil[.]com/install.xpi

Actual results:

This one loads all of its Facebook functionality from https://facemil/[.]com/load.js?<random_float_number>.


injects a script tag into <body> of the FB DOM

grabs your FB cookies/tokens

extracts your friends list

Posts status update with one of the following msgs:

possibleMessages =
"Facebook Now Has A Dislike button!\nEnable The Dislike Button Here\n",
"Switch Your facebook profile to 1 of 5 Different Colors And Themes. Choose yours Here: ",
"Switch To Pink Facebook (Limited Time!)\nClick here\n"

... with the URL, http://bit/[.]ly/GEC1us.

It also sends a chat message to "<Friend_Name> you can now change the color of Facebook! Look at the link on my wall."

Injects an <iframe>, for 10 seconds, that loads https://facemil/[.]com/wiggleWiggle.php

Does campaign tracking via a hidden <img> tag loading[.]gif

Injects https://facemil/[.]com/dislike.js, which harvests cookies as well and injects a 'dislike' function. That functionality sends your UID and the UIDs of those whose comments you 'dislike' to

Expected results:

It should not steal your Facebook cookies, post to Facebook as you without your consent, or send your and your friends' Facebook user IDs to a third-party server.
Comment 1 User image Jorge Villalobos [:jorgev] 2012-03-22 10:36:23 PDT
Comment 2 User image Jorge Villalobos [:jorgev] 2012-03-22 10:39:23 PDT

Note You need to log in before you can comment on or make changes to this bug.