Blocklist malicious 'timelineclose' add-on

RESOLVED FIXED

Status

()

Toolkit
Blocklisting
RESOLVED FIXED
5 years ago
a year ago

People

(Reporter: jorgev, Assigned: jorgev)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

23.26 KB, application/x-zip-compressed
Details
(Assignee)

Description

5 years ago
Created attachment 637980 [details]
Timeline close

(Filing on Mark's behalf, due to Bugzilla problems)

Download URLs:
Chrome: www.timelineclose.com/index2.php
FF: www.timelineclose.com/index1.php

Analysis of zamantuneli.kadir.xpi

Metadata claims that it's written by Facebook to turn off timeline.

Add-on loads adobeflashplayer.js from it's own code

Adobeflashplayer.js:
Injects timelineclose.com/user/profil.js

Profile.js:
Injects timelineclose.com/users/profil.php

Profil.php:
Hijacks a victim's Facebook session and subscribes them to 18 Facebook
accounts


It shouldn't claim to be a Facebook add-on and then hDownload URLs:
Chrome: www.timelineclose.com/index2.php
FF: www.timelineclose.com/index1.php

Analysis of zamantuneli.kadir.xpi

Metadata claims that it's written by Facebook to turn off timeline.

Add-on loads adobeflashplayer.js from it's own code

Adobeflashplayer.js:
Injects timelineclose.com/user/profil.js

Profile.js:
Injects timelineclose.com/users/profil.php

Profil.php:
Hijacks a victim's Facebook session and subscribes them to 18 Facebook
accounts


It shouldn't claim to be a Facebook add-on and then hijack your session to
subscribe you to multiple accounts of people you don't know.

Attached file has the add-on and remote JS.  Password is 'malwares4mple'.
ijack your session to
subscribe you to multiple accounts of people you don't know.

Attached file has the add-on and remote JS.  Password is 'malwares4mple'.
(Assignee)

Comment 1

5 years ago
Id: {392e123b-b691-4a5e-b52f-c4c1027e749c}
(Assignee)

Comment 2

5 years ago
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i109
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.