The default bug view has changed. See this FAQ.

Malicious add-on support@vide1flash2.com aka "Lastest Adobe Flash Player"

RESOLVED FIXED

Status

()

Toolkit
Blocklisting
RESOLVED FIXED
4 years ago
a year ago

People

(Reporter: nmaier, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
Created attachment 701617 [details]
MALICIOUS add-on, do not install

Just found the attached add-on in the wild on a relative's PC (Ubuntu, not that this matters).
Judging from the browser history it seems the add-on got to the system via a shady porn site with a "plugin is required to play this video" spoof.

It is a variant of bug 755443, etc.
The add-on acts as a loader for other, remotely retrieved javascript, which is then executed in chrome, hence at least being able to compromise the whole active user account.

I suggest immediately blocklisting the add-on in question, id support@vide1flash2.com, and also putting the location of the remote script http://mio98.hk/j.php into the attack sites list! Don't omit the attack sites please, as at least bug 755443 uses the same URL. 

Would it be possible to grab the update ping logs and grep for similar ids, seeing that there is at least one other add-on with a very similar id.
(Reporter)

Comment 1

4 years ago
Created attachment 701618 [details]
De-minified, beautified loader js

Just in case somebody is wondering....
Group: client-services-security
Component: Add-on Security → Blocklisting
The add-on has been blocklisted: https://addons.mozilla.org/en-US/firefox/blocked/i246

As for adding the URL to the attack sites, I think all that is necessary is to submit it to Google. Is this correct?
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
(Assignee)

Updated

a year ago
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.