Blocklist potentially malicious Flash Player add-on

RESOLVED FIXED

Status

()

Toolkit
Blocklisting
RESOLVED FIXED
5 years ago
2 years ago

People

(Reporter: monzta-kw, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [extension])

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Build ID: 20130201065344



Actual results:

I am one of the filter subscription mantainers of the "EasyList" filter for Adblock Plus. We get quite some reports about unblocked ads which are injected by a malicious "Flash Player" extension. 

Adblock Plus has an issue reporting feature to report unblocked ads or issues to the filterlist maintainers like me. Here are some issue reports of infected users: 

https://reports.adblockplus.org/5ac0b2fe-b529-465e-bbe6-3e1d4fc6a511#tab=requests 
https://reports.adblockplus.org/167a35da-eb11-1745-ba1b-87012b1d33ad#tab=screenshot 
https://reports.adblockplus.org/2b617aea-5d79-49a3-90d6-dd1764defc7f#tab=screenshot 

The problem is that the extension ID seems to be always a different one. These are the ones I collected so far: 

34qEOefiyYtRJT@IM5Munavn.com
Mro5Fm1Qgrmq7B@ByrE69VQfZvZdeg.com
KtoY3KGxrCe5ie@yITPUzbBtsHWeCdPmGe.com
9NgIdLK5Dq4ZMwmRo6zk@FNt2GCCLGyUuOD.com
NNux7bWWW@RBWyXdnl6VGls3WAwi.com
E3wI2n@PEHTuuNVu.com
2d3VuWrG6JHBXbQdbr@3BmSnQL.com
(Reporter)

Comment 1

5 years ago
Found another one: "Flash Player 11.1" ID is "support2_en@adobe14.com"

Comment 2

5 years ago
a similar extension which caused website redirects was also reported by a user on the mozilla support forums: https://support.mozilla.org/en-US/questions/953200

Name: Flash Player 11
ID: XN4Xgjw7n4@yUWgc.com

Updated

5 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [extension]
Do you have any samples of this malicious extension?
Blocked:
https://addons.mozilla.org/en-US/firefox/blocked/i324
https://addons.mozilla.org/en-US/firefox/blocked/i326

I needed 2 blocks because the ID input field has a size limit and these are just ugly regular expressions that | all the discovered IDs. Since they are randomized, I'm afraid these blocks won't be of much use :/
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Comment 6

5 years ago
(In reply to Jorge Villalobos [:jorgev] from comment #5)
> Blocked:
> https://addons.mozilla.org/en-US/firefox/blocked/i324
> https://addons.mozilla.org/en-US/firefox/blocked/i326
Typo in "pretending to the the Flash Player plugin."
(Reporter)

Comment 7

5 years ago
(In reply to Jorge Villalobos [:jorgev] from comment #4)
> Do you have any samples of this malicious extension?

Unfortunately, I do not have any. 

New ID: zZ2jWZ1H22Jb5NdELHS@o0jQVWZkY1gx1.com (https://reports.adblockplus.org/b254eea6-bff4-d644-a1ef-1904a350990e#tab=screenshot)
(In reply to monzta-kw from comment #7)
> New ID: zZ2jWZ1H22Jb5NdELHS@o0jQVWZkY1gx1.com
> (https://reports.adblockplus.org/b254eea6-bff4-d644-a1ef-
> 1904a350990e#tab=screenshot)

I updated the block to include that ID, thanks.
Please file new bugs for new block requests.
(Assignee)

Updated

2 years ago
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.