Most content blockers use and load filter lists that include instructions to block or change certain content on visited sites in the web browser by default; this is done to ensure that default configurations do block a good chunk of unwanted content right away.
Most extensions support custom lists and individual filters. Users may load custom lists in most extensions and add their own filters to the list as well.
Update: Eyeo GMHB announced today that it will remove the $rewrite function going forward. Expect a new release soon that removes if from the extension. End
Security researcher Armin Sebastian discovered an exploit in certain adblockers such as Adblock Plus that could be used to run malicious code on sites visited in the browser.
The exploit uses a filter option called $rewrite that Adblock Plus supports to inject arbitrary code in web pages. The $rewrite filter is used to replace code on sites by rewriting it. The filter option restricts the operation; it is designed to load content only from the first-party source and not third-party sites or servers, and some requests, e.g. script or object, are not permitted either.
Sebastian discovered a vulnerability in $rewrite that attackers may exploit to load content from remote locations. The conditions that need to be met are:
Properties that match all three requirements include Google Maps, Gmail, or Google Images among others. A proof of concept was published on the author's website and you may try it on Google Maps to verify that it works.
I tried the exploit in Chrome and Firefox, and could not get it to work. Lawrence Abrams over on Bleeping Computer managed to get it to work though.
The attack has another requirement, as it relies on filters. A manipulated filter needs to be added to the list of filters used by the content blocker. The two most common options include users adding filters manually to their content blockers, or that a manipulated filter is on a filter list that gets loaded.
The second option seems more likely, especially in cases were users load other lists in the extensions. It is not the first time that lists get manipulated but it does not happen very often.
The extension uBlock Origin is not affected by the issue as it does not support $rewrite.Advertisement
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.