uBlock Origin ad-blocker knocked for blocking hack attack squawking

Block all the things! No, wait, not the XSS security alerts

Top ad-blocking plugin uBlock Origin has come under fire for being a little too eager in its quest to murder nasty stuff on the internet: it prevents browsers from sounding the alarm on hacking attacks.

At the heart of the matter is a fairly new technology called content security policy reporting, or CSP reporting. It's documented here as a W3C draft, here by Google, and over here by Mozilla. Websites can use CSPs to whitelist the scripting code that's allowed to run on their pages, thus stopping attackers from injecting malicious JavaScript into browsers that hijack users' logged-in accounts.

It's supposed to kill cross-site-scripting, aka XSS, attacks, and automatically report hacking attempts back to the website's administrators. It's very handy.

However, uBlock Origin is blocking browsers from sending these CSP alerts, infosec consultant Scott Helme reported on Monday in a bug report on the uBlock Origin GitHub repo. The free Chrome and Firefox plugin bins all CSP reports if any script neutered to protect the user's privacy is allowed onto the page, such as a defanged Google Analytics script.

In his bug report, Helme wrote:

uBO is blocking the sending of legitimate CSP reports. I have a policy setup on https://scotthelme.co.uk which fires multiple reports that are all blocked.

uBlock Origin developer Raymond Hill replied that this is "by design," and that the plugin kills all CSP alerts if any neutered scripts, such as Google traffic analytics, are allowed to run. He added users could manually whitelist Google Analytics for a particular site to avoid any CSP reports being suppressed, and closed the bug:

uBO will block CSP reports if it injects at least one neutered script in a page. This is what is happening on https://scotthelme.co.uk/, uBO is injecting a neutered Google Analytics script. In such case, uBO conservatively assumes that the injected script is what is causing the CSP reports and blocks them. If you create an allow rule for Google Analytics for that site, the CSP reports are not blocked.

The trouble is that websites won't receive alerts from browsers when uBlock Origin is installed and miscreants are trying to execute XSS attacks. That means site developers and admins may be unaware of attempts to exploit weaknesses in their code, vulnerabilities may not be addressed, and people may end up losing control of their accounts if attacked. Ultimately, Helme and others want to end uBlock Origin's broad blockade of CSP alerts.

"uBO can block Google Analytics without interfering with CSP reports. The two things aren't related, they're choosing to prevent the CSP report being sent," Helme told El Reg. Troy Hunt, ‏who runs the Have I Been Pwned website, added: "This is the problem: if you've got an XSS risk on your site, for example, a browser running uBlock Origin can no longer report it to you."

Hill countered that CSP reports are a potential privacy issue, in that it is data phoned home to a remote server. “CSP reporting helps a host to fix their own problems in configuring their server, it does not help at all to fix users' own problems. CSP reports are not for the benefits of users – to say so is just marketing,” he argued.

Essentially, uBlock Origin is trying to stop Google Analytics from tracking people across the web. Hill warned that spurious CSP reports may be generated when it neuters scripts, and it blocks these reports to prevent information leakage.

Helme told El Reg that uBlock Origin’s blanket policy was not only unworkable but ill-conceived. Any information reported back to a website from one of its own webpages should be known to the website anyway: the site generated the page, after all.

instart logic screenshot

Revealed: The naughty tricks used by web ads to bypass blockers


“uBO is taking unilateral and indiscriminate action against all reports,” Helme explained. “If they want to restrict reports caused by them then fair enough, but to stop the site sending any reports about security incidents just seems dangerous at best.

“I don't see how sending a CSP report to a reporting service is any more privacy violating than loading an image, script or stylesheet from a content delivery network. 99.99999 per cent of users aren't even going to know about CSP so suggesting that users can manually whitelist this to make it work is a non-starter."

The issue has sparked a lively debate on social media. Techie Dmitry Chestnykh, a uBlock Origin user, argued that the plugin is enhancing user privacy: "CSP reporting is not a security feature for users, CSP blocking is. It's not user's responsibility to report that your site is broken."

Paul Moore, a UK-based chief information security officer with an interest in web privacy, disagreed. "It seems bizarre that a plugin to aid security and privacy not only breaks enhanced user agent features but actively refuses to fix it," he said.

Meanwhile, Hill has since reopened Helme's bug to reinvestigate the matter, noting: "I will look into whether it is possible and practical for uBO to block only whatever CSP reports are fired as a result of uBO doing its job."

In short, if you use uBlock Origin, for now, your browser can't warn websites when they and their users are under attack from account and session hijackers. ®

Similar topics

Other stories you might like

  • Talos names eight deadly sins in widely used industrial software
    Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

    A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

    The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

    Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

    Continue reading
  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading

Biting the hand that feeds IT © 1998–2022