Adblock Plus and uBlock are perhaps the most popular ad blocking extensions in the market, with the former exploding in popularity in China and India. While many Web surfers are increasingly favoring ad blockers, with over 100 million users already using these tools.

But latest findings reveals that the $rewrite filter available on AdBlock, Adblock Plus and uBlock enables filter list maintainers to inject malicious code into web pages.

The $rewrite feature is supposed to allow changing of the filter rules in deciding which content get blocked and which to allow, which often there are content elements that are hard to block. And the feature can be exploited in a trivial order to attack even complex web service, like Google services, with attacks almost undetectable.

While the $rewrite filter option is employed by ad blockers to alter the tracking data and thus block ads requests by redirecting traffic. It allows rewrites only within the origin, and requests of SUBDOCUMENT, SCRIPT, OBJECT and OBJECT_SUBREQUEST types are not supported.

The exploit, however is possible with the help of the filter option when used with XMLHttpRequest or Fetch to download code snippets for execution, allowing requests to arbitrary origins and also a server-side redirect.

According to the researcher, Armin Sebastian, Google services like Google Maps, Gmail, and Google Images, are exempt from the exploitable requirements. Albeit, other web services could be exploited by the flaw.

But since the potential security issue is considered to be present solely in the browser extensions, and the exploit is made up on a set of browser extension and web service vulnerabilities chained together, it is worth keeping in mind these conditions.

How Ad Blocker can be Exploited to transfer Malicious Code unto PCs



Adblock Plus and uBlock are perhaps the most popular ad blocking extensions in the market, with the former exploding in popularity in China and India. While many Web surfers are increasingly favoring ad blockers, with over 100 million users already using these tools.

But latest findings reveals that the $rewrite filter available on AdBlock, Adblock Plus and uBlock enables filter list maintainers to inject malicious code into web pages.

The $rewrite feature is supposed to allow changing of the filter rules in deciding which content get blocked and which to allow, which often there are content elements that are hard to block. And the feature can be exploited in a trivial order to attack even complex web service, like Google services, with attacks almost undetectable.

While the $rewrite filter option is employed by ad blockers to alter the tracking data and thus block ads requests by redirecting traffic. It allows rewrites only within the origin, and requests of SUBDOCUMENT, SCRIPT, OBJECT and OBJECT_SUBREQUEST types are not supported.

The exploit, however is possible with the help of the filter option when used with XMLHttpRequest or Fetch to download code snippets for execution, allowing requests to arbitrary origins and also a server-side redirect.

According to the researcher, Armin Sebastian, Google services like Google Maps, Gmail, and Google Images, are exempt from the exploitable requirements. Albeit, other web services could be exploited by the flaw.

But since the potential security issue is considered to be present solely in the browser extensions, and the exploit is made up on a set of browser extension and web service vulnerabilities chained together, it is worth keeping in mind these conditions.

No comments