Adblock Plus filter exploit to run arbitrary code discovered
Most content blockers use and load filter lists that include instructions to block or change certain content on visited sites in the web browser by default; this is done to ensure that default configurations do block a good chunk of unwanted content right away.
Most extensions support custom lists and individual filters. Users may load custom lists in most extensions and add their own filters to the list as well.
Update: Eyeo GMHB announced today that it will remove the $rewrite function going forward. Expect a new release soon that removes if from the extension. End
Security researcher Armin Sebastian discovered an exploit in certain adblockers such as Adblock Plus that could be used to run malicious code on sites visited in the browser.
The exploit uses a filter option called $rewrite that Adblock Plus supports to inject arbitrary code in web pages. The $rewrite filter is used to replace code on sites by rewriting it. The filter option restricts the operation; it is designed to load content only from the first-party source and not third-party sites or servers, and some requests, e.g. script or object, are not permitted either.
Sebastian discovered a vulnerability in $rewrite that attackers may exploit to load content from remote locations. The conditions that need to be met are:
- A JavaScript string needs to be loaded using XMLHttpRequest or Fetch, and the return code must be executed.
- Origins cannot be restricted on the page, e.g. by using Content Security Policy directives, and the final request URL cannot be validated before execution.
- The origin of the code must have a server-side open redirect, or must host arbitrary user content.
Properties that match all three requirements include Google Maps, Gmail, or Google Images among others. A proof of concept was published on the author's website and you may try it on Google Maps to verify that it works.
I tried the exploit in Chrome and Firefox, and could not get it to work. Lawrence Abrams over on Bleeping Computer managed to get it to work though.
Closing Words
The attack has another requirement, as it relies on filters. A manipulated filter needs to be added to the list of filters used by the content blocker. The two most common options include users adding filters manually to their content blockers, or that a manipulated filter is on a filter list that gets loaded.
The second option seems more likely, especially in cases were users load other lists in the extensions. It is not the first time that lists get manipulated but it does not happen very often.
The extension uBlock Origin is not affected by the issue as it does not support $rewrite.
Who uses this junk extension anyway? They are being bribed by the ad industry to let certain ads through, they call that “Acceptable Ads”.
Use uBlock Origin, folks. It’s not compromised like AdBlock Plus is.
Many website rely on advertising to generate revenue. You need to pay for your websites page. Website authors spend a lot of their time and effort working on websites. I don’t know of too many who don’t need to eat, drink, live somewhere, enjoy some entertainment in their life, etc. In fact they have lives, different to yours but probably just as expensive. From the AdBlock Plus extension:
“Acceptable Ads are nonintrusive ads. They are the middle ground between ad blocking and supporting online content because they generate revenue for website owners.”
@Anonymous:
Not sure you understand?!? In order to be put on the whitelist of Eyeo GmbH (parent company of AdBlock Plus), you need to:
– officially meet their “Acceptable Ads criteria” and
– pay them money.
I don’t take too much issue with the former point, but with the latter. I do not think that it is great when an adblocker(!) lets ads through in the first place, BUT requiring payments from the advertisers for the ads to be whitelisted is extortion. Some companies (their “esteemed partners”) play along with that business model, others don’t. I only respect those who don’t.
Only those who have installed the uncommon Code Injection Filter List to Adblock Plus are vulnerable to the bug which is seldom being exploited in the wild = this issue does not affect nearly all Adblock Plus users.
Thanks for speaking on behalf of nearly everyone, always nice.
So, possible but unlikely???
… and beware of Lawrence Abrams’ block list😊
With NoScript & AdBlock I never have any problems on sites (using a portable firefox).
Btw I long ago disabled Adblock & NoScript on Ghacks to help Martin earn from this site, but nothing ever changed. I never see adverts nor have popups into other sites.
Maybe it’s because my portable Firefox has been running since version 1.something & certain rules don’t get cleaned out ? It’s annoying as I don’t mind having ads in here if it helps Martin continue the site.
> It’s annoying as I don’t mind having ads in here if it helps Martin continue the site.
I do. I’d pay a few $$ per month for gHacks, if that means that there are no ads or trackers on the site. Privacy is of higher value than a few $$ for me, therefore I refuse to support any tracking or ads, even if the site is nominally for free.
is right that only who has the Code Injection Filter List to Adblock Plus are vulnerable to the bug?
No, it can be in any list but is in none that Adblock Plus loads by default.
Extensions seem to be the target of choice now that plugins are gone. For me there is enough issues with browsers that adding extensions just adds another layer of potential exposure. Ads really do not bother me much, I get its a tradeoff for access to a web site for free. Yeah a few sites are over the top in placing annoying ads so I tend to avoid them. Seems like all these ad blockers eventually do white lists deals in order to survive because while users seem to love to block ads, they seem unwilling to support the developers who make the blockers. Brave browser has a interesting take on ads, but I doubt it will catch on. But its built in ad blocker seems to be a better option then a extension.
> “while users seem to love to block ads, they seem unwilling to support the developers who make the blockers.”
If you consider ‘uBlock Origin’ it’s the developer himself who made it clear ever since he launched the extension that he’d refuse any form of financial support. Money helps as well as it corrupts, see ‘Adblocker Plus’ and its ‘acceptable ads’ on the ground of acceptable advertisement funding.
Considering the idea that because Web sites are free to access and provide (for most of them) free blogs, data, services it is normal to pay our part by allowing ads, it’s unfortunately more complex than simply accepting ads on a page : think malvertizement, think tracking. We’re not in the 1950’s advertisement scheme, things have changed, targeted ads were invented to increase the ROI and take full advantage of the Web’s very structure : following everyone everywhere.
Considering the idea of participating to the cost of a website, my opinion has always been that a website should not represent the income of a site administrator. You earn your life elsewhere and if you have the time and can afford it you open a website. Otherwise why not consider that if we don’t give a dime to a street artist we should as well pass our way? There are many areas in life we’d all like to make a living but am I authorized to require money on the ground I’m willing to earn my life with what I’m fond of? From there on I consider participating nevertheless to the cost of websites I regularly visit (hence I like) by direct funding (as here with ghacks.net) but will never accept ads for the sake of a site’s accessibility because and please pardon this analogy : prostitution, be it mental, is not my cup of tea.
But I am not against the principle of advertisement should advertisement be and be only a source of information for a given product, free of subliminal and targeted processes, healthy, respecting the users, less and better and e all know that’s not how it works. Feed forcing is the adverisement business’ credo, conceived as a war so war they have : adblockers. Period.
I agree with you Tom, yet although I trust a site, I tend not to trust advertising networks, as many have shown to be sketchy, and they sometimes work with even sketchier folks.
Yet things seem to have gotten better, as I imagine there are more trustworthy ad networks than before, but IDK.. Regardless, for the most part, I no longer use ad blockers on the trusted sites I frequent, as with this one.
Yet I do still block ads in YouTube video, as I find them excessive sometimes. But being that I no longer want to fuss with using ad blockers, I just use Opera for that, in exchange for giving up my so-called privacy.
That said, on sketchy sites that won’t work with the use of popular ad blockers (where they block access to such users), I have found an acceptable solution by at least blocking those unexpected popup ads.. I do that with “Popup Blocker (strict)”. I find it works great on most sites.
As for site revenue, I like the idea of sites charging a fee for full access with no ads.. And if they can’t make money that way, then I guess their site is not that great, ha.
But seriously, I like the fremium model, with the options of free access with ads, and paid access with no ads.
Also, ad free pay sites could also get paid from partners/sponsors who give “access vouchers” to costumers who buy their family of products.. For example, if you by enough Big Mac meals, then you get vouchers/coupons to access selected sites with no ads.
Furthmore, such vouchers would not require the users to give up their privacy, as they could just use access codes.
As for subliminal and “soft” advertising, I guess that will always be a thing regardless, via back-door deals and such.. Which reminds me, a Big Mac sure does sound good right now, oh boy! Ha.
This is a fake scenario just to harm ABP.
https://adblockplus.org/blog/potential-vulnerability-through-the-url-rewrite-filter-option
This is not fake but not actively exploited and it seems unlikely that it will. Still, the article you linked to state that $rewrite will be removed in future versions. I have updated the article to reflect that.
@Richard
The ABP guys are wrong.
As long as the technical possibility exists, the situation isn’t optimal. Even though the threat is probably only theoretical, it reflects how careless the ABP people are about their software.
The threat was well-known in the circle, and additionally it seems there is no good reason to use that feature at all.
It’s simply laziness on the part of Eyeo who controls ABP, Adblock and uBlock.
You can bet the Eyeo people are not using ABP themselves.
Regarding the line: “It’s simply laziness on the part of Eyeo who controls ABP, Adblock and uBlock.”
Eyeo GMBH only owns ABP.
AdBlock and uBlock non-Origin seems to be owned by a mysterious and anonymous business man, while uBlock Origin is owned by one enthusiast guy from Canada.
Seems, the $rewrite filter option is useful to some users in blocking the anti-adblock warning messages of restrictive websites who want to force their ads on visitors, eg China’s Youku, qqdotcom, etc.
To the degree that I currently understand the exploit, an entry using the sort of syntax that is used in the exploit example list, has never been used in the ~309 different ABP-format lists that are currently known to exist. So there’s very little to fear, as it currently stands.
However… even if ABP was to patch this really quickly, it appears that among those very-low-quality adblockers that fill up add-on stores, those that were forked from ABP or AdBlock between July 2018 (when “$rewrite” was added to ABP) and this week could remain indefinitely susceptible to this due to their lack of attention to their own coding.
Mysteriously, 13 million Dollar expenses appear in the Eyeo financials the year that Adblock gets bought by an unknown buyer, and immediately after Adblock starts to participate in the Eyeo acceptable ads program.
uBlock was also bought by an unknown buyer, but Adblock registered uBlock as a trademark in Germany, accidentally the home of ABP.
There is only one big corporate player in the field of ad blocking. They do not disclose this due to anti-trust issues with one big player controlling 90% of the ad business, and google is by the way their biggest customer, buying access to their users.
https://twitter.com/gorhill/status/1070755049603784704
Hmm… with that kind of evidence and indicators, that actually does sound pretty plausibly believable. Even I who tend to be fairly deep into the uBO community was unaware of gorhill having tweeted about that, so I thank you for sharing this info with us.
It states on the site you linked to Martin that the exploit can be mitigated by whitelisting known origins using the connect-src CSP header, or by eliminating server-side open redirects. However, it doesn’t explain how to do that.
Any ideas on that anybody?
I’ve just read on the bleepingcomputer article that the $rewrite function was added to ABP 3.2
This implies that it doesn’t affect my installation since I’m running version 2.9.1. I just didn’t like the web UI in later versions of APB and decided to stick with the previous one instead. This version is also the last one which supports the Element Hiding Helper which I use a lot.
@Martin:
Thanks very much for explicitly noting that uBlock Origin is not affected!
So does anyone have any opinion on AdBlocker Ultimate, or is it also affected, or for some other reason a bad choice??
Taking a quick look at Adblocker Ultimate’s settings menu and interface, I would advise against using it. Judging by the UI, AdUlt appears to have been forked from AdBlock in 2016 or 2017, and has not updated its included filterlists to reflect when lists have ceased to be maintained (e.g. Norsk Adblockliste, Fanboy’s Swedish, Juvander’s infamous Finnish List), nor does it have an option to show links to the lists.
I therefore personally recommend that any and all users of Adblocker Ultimate who likes its UI, should under normal circumstances change to AdBlock, whereas those who use AdUlt and thinks of it as inadequate, should change to Nano Adblocker or uBlock Origin.
“The extension uBlock Origin is not affected by the issue as it does not support $rewrite.”
Since when? From the getgo? I’m using the last XUL version.
It’s probably a simplistic/naive viewpoint but I feel that unless ads are really annoying and intrusive then they’re okay. I equate it to magazines. When a magazine starts placing full page ads on almost every right hand page ( so your eyes automatically see it when you turn the page) then I tend to cease buying that magazine. My auto clubs “free” magazine started having heaps of articles about sea cruises, bus tours and overseas “adventure holidays” etc., along with tons of advertisements about same. Anything related to motoring, such as vehicle reviews/tests, road safety etc., was given a half dozen pages at the back of the magazine. I know that all those advertisements and articles promoting commercial tours help reduce the cost of publishing the magazine but it’s still annoying. Many years ago it was a club newspaper, not a glossy magazine. Each monthly issue contained a wealth of content actually relating to motoring.
Thankfully, here on ghacks we get plenty of real “meat”, so I’m quite willing to turn off adblocking if it helps to keep this site up and running.
Cheers,
Web page advertising may be annoying but at least it is overt. Some websites hide the Snake Oil they sell inside ‘informative’ articles.