User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Build ID: 20130201065344 Actual results: I am one of the filter subscription mantainers of the "EasyList" filter for Adblock Plus. We get quite some reports about unblocked ads which are injected by a malicious "Flash Player" extension. Adblock Plus has an issue reporting feature to report unblocked ads or issues to the filterlist maintainers like me. Here are some issue reports of infected users: https://reports.adblockplus.org/5ac0b2fe-b529-465e-bbe6-3e1d4fc6a511#tab=requests https://reports.adblockplus.org/167a35da-eb11-1745-ba1b-87012b1d33ad#tab=screenshot https://reports.adblockplus.org/2b617aea-5d79-49a3-90d6-dd1764defc7f#tab=screenshot The problem is that the extension ID seems to be always a different one. These are the ones I collected so far: 34qEOefiyYtRJT@IM5Munavn.com Mro5Fm1Qgrmq7B@ByrE69VQfZvZdeg.com KtoY3KGxrCe5ie@yITPUzbBtsHWeCdPmGe.com 9NgIdLK5Dq4ZMwmRo6zk@FNt2GCCLGyUuOD.com NNux7bWWW@RBWyXdnl6VGls3WAwi.com E3wI2n@PEHTuuNVu.com 2d3VuWrG6JHBXbQdbr@3BmSnQL.com
Found another one: "Flash Player 11.1" ID is "firstname.lastname@example.org"
a similar extension which caused website redirects was also reported by a user on the mozilla support forums: https://support.mozilla.org/en-US/questions/953200 Name: Flash Player 11 ID: XN4Xgjw7n4@yUWgc.com
A more recent report: https://reports.adblockplus.org/b42ef6ca-1d8e-bd45-bb8e-45bb5d9fb898#tab=screenshot Extension ID: C7yFVpIP@WeolS3acxgS.com Other IDs from the same extension I have collected so far: Kbeu4h0z@yNb7QAz7jrYKiiTQ3.com aWQzX@a6z4gWdPu8FF.com CBSoqAJLYpCbjTP90@JoV0VMywCjsm75Y0toAd.com
Status: UNCONFIRMED → NEW
Ever confirmed: true
Do you have any samples of this malicious extension?
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i324 https://addons.mozilla.org/en-US/firefox/blocked/i326 I needed 2 blocks because the ID input field has a size limit and these are just ugly regular expressions that | all the discovered IDs. Since they are randomized, I'm afraid these blocks won't be of much use :/
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(In reply to Jorge Villalobos [:jorgev] from comment #5) > Blocked: > https://addons.mozilla.org/en-US/firefox/blocked/i324 > https://addons.mozilla.org/en-US/firefox/blocked/i326 Typo in "pretending to the the Flash Player plugin."
(In reply to Jorge Villalobos [:jorgev] from comment #4) > Do you have any samples of this malicious extension? Unfortunately, I do not have any. New ID: zZ2jWZ1H22Jb5NdELHS@o0jQVWZkY1gx1.com (https://reports.adblockplus.org/b254eea6-bff4-d644-a1ef-1904a350990e#tab=screenshot)
(In reply to monzta-kw from comment #7) > New ID: zZ2jWZ1H22Jb5NdELHS@o0jQVWZkY1gx1.com > (https://reports.adblockplus.org/b254eea6-bff4-d644-a1ef- > 1904a350990e#tab=screenshot) I updated the block to include that ID, thanks.
Please file new bugs for new block requests.
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.