Just a little FYI: Filtering doodad in Adblock Plus opens door to third-party malware injection

Third-party providers of content filter rules could stiff netizens

A feature introduced last year in Adblock Plus and a few other related content blocking browser extensions allows providers of filtering lists, under certain conditions, to execute arbitrary code on web pages.

Adblock Plus v3.2 for Chrome, Firefox and Opera, released in July 2018, includes support for the $rewrite filter option, which can alter filter rules governing whether or not content gets blocked. The rationale for doing so is that there may be times when it's better to redirect a web request rather than blocking it.

The $rewrite filter provides a way to remove tracking data from URLs. One example might be avoiding Google Accelerated Mobile Pages (AMP). "We could redirect people to the non-AMP page as AMP is only meant to advertise and track not to actually make the web better," suggested Adblock Plus developer Hubert Figuière last year.

Other content blocking extensions with confusingly similar names like AdBlock and uBlock (owned by AdBlock and not associated with uBlock Origin) are said to have also implemented the $rewrite option. With this directive, third-party maintained filter lists can selectively rewrite URL parameters.

According to Sebastian, web pages are vulnerable under specific conditions: if they load a JavaScript string via XMLHttpRequest or Fetch and execute the returned code; if they fail to limit the applicable domain origin fetched with Content Security Policy directives or URL validation; and if the origin of the fetched code has a server-side open redirect or allows the hosting of arbitrary user content.

In such a case, an untrustworthy provider of filer list data could include a malicious filter string that would execute arbitrary code.

In a blog post on Monday developer Armin Sebastian, who found the issue, said he has informed Google about the potential vulnerability but the company considers it intended behavior rather than a bug.

Adblock Plus, in a statement emailed to The Register said, "We are taking this very seriously and are currently investigating the actual risk for our users to determine the best countermeasure."

In its statement, Adblock Plus said support for $rewrite "was added to allow filter list authors to effectively block circumvention attempts, where a website tries to force ads on visitors that use an ad blocker."

"The new feature is a fundamental shift from how ad blockers are understood to work," said Sebastian in a Twitter conversation with The Register.

"In the past the worst that could have happened was for a malicious filter list provider to block access to a site, which would have been a minor annoyance that is easy to spot. The $rewrite filter option, when chained with other security issues from web services, enables account takeovers and the exfiltration of private data. That is quite the leap from how users perceive ad blockers to work."

Sebastian said he was unaware of whether anyone has been exploiting filtering lists thus, but said manipulation would be difficult to detect. "This method allows delivering payloads on a per request basis, you may be targeted, exploited and the evidence cleared from the extension storage, without needing to publish the payload as part of a public filter list," he said.

Cause for concern

Raymond Hill, the creator of rival content blocking extension uBlock Origin, last year said he would not be implementing $rewrite because of security concerns. Specifically, he worried same-origin restrictions would not be enough because sites like GitHub can have the same origin (github.com) while giving different people control over content on different pages.

"Even with strictly same origin, a malicious filter list author could add bad stuff to a network request," he wrote, noting that he preferred an option called querystrip that removes but does not rewrite URL query parameters.


As netizens, devs scream bloody murder over Chrome ad-block block, Googlers insist: It's not set in stone (yet)


In an email to The Register, Hill said, "The exploit requires that a filter list maintainer go rogue, an unlikely scenario, especially for prominent filter lists, i.e. those used by default by the affected blockers. Still, [Sebastian's post] makes the case that the possibility exists and this needs to be taken into account by users according to how they personally choose to assign trust."

Adblock Plus said $rewrite has been restricted to prevent it from executing any scripts but, despite Content Security Policy settings, "certain websites allow the interpretation of plaintext from a third party as code and execute it."

The company, which posted a longer statement on its website, said it considers exploitation unlikely (and hasn't seen any exploitation attempts) because it vets authors who contribute to filter lists enabled in Adblock Plus by default and it examines filter lists regularly.

"Nevertheless, there are still websites where this option can be used to run malicious software and we know that it is our responsibility to protect our users from such attacks. We are working on fixing this exploit," the company said.

In addition to further restrictions being considered for $rewrite, Adblock Plus says may restrict all filter lists to https, which is currently the case for default activated lists.

Sebastian said the risk can be mitigated by whitelisting known origins with the connect-src CSP header or by omitting server-side open redirects.

The Register asked Google to confirm that it doesn't see this as a Chrome security problem, but we've not yet heard back.

One of the reasons Google cites for its controversial Manifest v3 plan to change the APIs available to Chrome extensions is security. The search biz is focused on issues other than filter trust, like replacing the webRequest API, which evaluates rules in the browser (where they can be changed) rather than in the JavaScript engine (where declared rules remain fixed). ®

Other stories you might like

  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading

Biting the hand that feeds IT © 1998–2022