• Home
  • Apps
  • Apps News
  • AdBlock, AdBlock Plus, uBlock Filter Vulnerability Allows Arbitrary Code Injection in Browsing Sessions: Researcher

AdBlock, AdBlock Plus, uBlock Filter Vulnerability Allows Arbitrary Code Injection in Browsing Sessions: Researcher

Share on Facebook Tweet Share Reddit Comment
AdBlock, AdBlock Plus, uBlock Filter Vulnerability Allows Arbitrary Code Injection in Browsing Sessions: Researcher

AdBlock Plus first introduced the $rewrite filter last year

Highlights
  • The vulnerability lies in $rewrite filter used in ad blocking extensions
  • It allows malicious filter authors to steal online credentials
  • AdBlock, AdBlock Plus, uBlock extensions support $rewrite filters

A new alleged vulnerability has been discovered, this time in AdBlock, AdBlock Plus, and uBlock extensions. The vulnerability exists in a filter for rewriting requests (called $rewrite filter) that was introduced in AdBlock Plus first in July last year with v3.2. Under certain conditions the $rewrite filter option apparently enables filter list maintainers to inject arbitrary code in webpages. A malicious filter author can steal online credentials, tamper sessions, or redirect pages using this vulnerability.

Security researcher Armin Sebastian discovered the vulnerability, and he claims that the problem was introduced with the $rewrite filter option that was introduced last year. This filter allows ad blockers to remove tracking data, prevent forced ads by websites, and block circumvention attempts. The $rewrite filter option allows rewrites only within the same origin, and requests of SCRIPT, SUBDOCUMENT, OBJECT, and OBJECT_SUBREQUEST types are not processed.

However, under certain conditions, the Web servers can be exploited. These conditions include that the page must load a JS string using XMLHttpRequest or Fetch and execute the returned code, and the page must not restrict origins from which it can fetch using Content Security Policy directives, or it must not validate the final request URL before executing the downloaded code. The origin of the fetched code must also have a server-side open redirect or it must host arbitrary user content. If these conditions are met with, then malicious filter authors can inject malicious code. The researcher says that Gmail and Google Images also meet these listed conditions to be exploitable, and he even demoed how the security flaw could be triggered using Google Maps.

The $rewrite filter option is available on AdBlock Plus, AdBlock, and uBlock; and together they have more than 100 million active users, Sebastian claims. He adds that the vulnerability is "trivial to exploit", and can be used to attack any sufficiently complex Web service, including Google services. He added these attacks are said to be "difficult to detect and are deployable in all major browsers."

As a temporary workaround, Sebastian advises users to switch to uBlock Origin as it does not support the $rewrite filter option and it is not vulnerable to the described attack. He also advices ad blocking extensions to drop support for the $rewrite filter option.

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Further reading: AdBlock, AdBlock Plus, uBlock
Tasneem Akolawala When not expelling tech wisdom, Tasneem feeds on good stories that strike on all those emotional chords. She loves road trips, a good laugh, and interesting people. She binges on movies, sitcoms, food, books, and DIY videos. More
Amazon Targeted by Italy in Market Dominance Probe
Vodafone Brings Rs. 16 Prepaid Recharge Plan With 1GB Data for 24 Hours
 
 

Advertisement

 

Advertisement

© Copyright Red Pixels Ventures Limited 2019. All rights reserved.