Created attachment 609513 [details] 20120326_niceoutlook.zip (password 'infected') User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Steps to reproduce: Downloaded plugin from http://niceoutlook.net/pp/profile.xpi Actual results: Uses http://verybigdays.net/connect.php as an update URL to download the remote JS and configuration as a JSON blob and stores it in HTML5 local storage. This injects inline, base64 encoded JS, a hidden div tag, a hidden iframe, and a hidden img tracker tag. The JS and div tag interact to create a hidden overlay in the top left-hand corner of the webpages viewed by the user. The hidden layer is a series of nested tables, with embedded images and links that are overlaid on the Facebook logo and user menu, clickjacking the user's actions on Facebook. Expected results: It shouldn't inject a hidden layer on top of the web pages used by the viewer to hijack their actions.