Last Comment Bug 769781 - Blocklist malicious 'timelineclose' add-on
: Blocklist malicious 'timelineclose' add-on
Status: RESOLVED FIXED
:
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-29 13:13 PDT by Jorge Villalobos [:jorgev]
Modified: 2016-03-07 15:30 PST (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Timeline close (23.26 KB, application/x-zip-compressed)
2012-06-29 13:13 PDT, Jorge Villalobos [:jorgev]
no flags Details

Description Jorge Villalobos [:jorgev] 2012-06-29 13:13:38 PDT
Created attachment 637980 [details]
Timeline close

(Filing on Mark's behalf, due to Bugzilla problems)

Download URLs:
Chrome: www.timelineclose.com/index2.php
FF: www.timelineclose.com/index1.php

Analysis of zamantuneli.kadir.xpi

Metadata claims that it's written by Facebook to turn off timeline.

Add-on loads adobeflashplayer.js from it's own code

Adobeflashplayer.js:
Injects timelineclose.com/user/profil.js

Profile.js:
Injects timelineclose.com/users/profil.php

Profil.php:
Hijacks a victim's Facebook session and subscribes them to 18 Facebook
accounts


It shouldn't claim to be a Facebook add-on and then hDownload URLs:
Chrome: www.timelineclose.com/index2.php
FF: www.timelineclose.com/index1.php

Analysis of zamantuneli.kadir.xpi

Metadata claims that it's written by Facebook to turn off timeline.

Add-on loads adobeflashplayer.js from it's own code

Adobeflashplayer.js:
Injects timelineclose.com/user/profil.js

Profile.js:
Injects timelineclose.com/users/profil.php

Profil.php:
Hijacks a victim's Facebook session and subscribes them to 18 Facebook
accounts


It shouldn't claim to be a Facebook add-on and then hijack your session to
subscribe you to multiple accounts of people you don't know.

Attached file has the add-on and remote JS.  Password is 'malwares4mple'.
ijack your session to
subscribe you to multiple accounts of people you don't know.

Attached file has the add-on and remote JS.  Password is 'malwares4mple'.
Comment 1 Jorge Villalobos [:jorgev] 2012-06-29 13:16:28 PDT
Id: {392e123b-b691-4a5e-b52f-c4c1027e749c}
Comment 2 Jorge Villalobos [:jorgev] 2012-06-29 13:20:46 PDT
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i109

Note You need to log in before you can comment on or make changes to this bug.