Adblock Plus filters can be abused to execute malicious code in browsing sessions

The vendor was not aware of the problem until public disclosure.
Written by Charlie Osborne, Contributing Writer

An exploit has been uncovered in the filter systems of Adblock, Adblock Plus, and uBlock which may permit attackers to remotely inject arbitrary code into web pages.

Security researcher Armin Sebastian said in a blog post on Monday that the issue lies within version 3.2 of the Adblock Plus software which introduced a new filter option for rewriting requests in 2018.

This feature, also adopted by AdBlock and uBlock, is vulnerable to a security flaw deemed "trivial" to exploit by Sebastian, and the issue could potentially be leveraged in attacks including the theft of online credentials, session tampering, or page redirection.

According to the researcher, as the impacted extensions account for over 100 million monthly active users, the security flaw may have a massive impact if exploited in the wild by a malicious filter author.

"The feature is trivial to exploit in order to attack any sufficiently complex web service, including Google services, while attacks are difficult to detect and are deployable in all major browsers," Sebastian says.

Filter lists are core components of ad blocking software as they provide a repository of URLs which are considered to be suspicious, malicious, or related to advertising. When an ad blocker is installed on a browser, while users are surfing the web, the software accesses these lists and prevents such content from loading.

The problem lies in the $rewrite filter option, a feature introduced last year. $rewrite is used by some ad blockers to block circumvention attempts, remove tracking data, and to prevent websites from forcing ads on visitors using blocking software.

Rewrites, however, can only take place within the same domain as an original request, and SCRIPT, SUBDOCUMENT, OBJECT, and OBJECT_SUBREQUEST request types are not accepted.

See also: Severe vulnerabilities uncovered in popular password managers

Under certain conditions, it appears that arbitrary code can be injected when domains load JS strings using XMLHttpRequest or when they use Fetch to download code snippets for execution. Websites must also have a server-side open redirect or must host arbitrary user content for the exploit to work.

In addition, the page must not restrict origins using Content Security Policy directives and final request URLs cannot be validated before downloaded code is executed.

"Extensions periodically update filters at intervals determined by filter list operators," the researcher added. "Attacks are difficult to detect because the operator may set a short expiration time for the malicious filter list, which is then replaced with a benign one. Organizations and individuals may be targeted based on the IP addresses from which the updates are requested."

As an example of how the security flaw could be triggered, Sebastian utilized Google Maps. As the service met the conditions above, the researcher was able to write exploit code which would load content from "majestic-ramsons.herokuapp .com" -- in this case, prompting a pop-up alert.

The issue was reported but Google says the open redirect used by Google Maps is "intended behavior" and the potential security problem lies only within the mentioned browser extensions.

Sebastian says that the elimination of server-side open redirects or the whitelisting of known origins in impacted web services using the connect-src CSP header can mitigate the problem. It has also been suggested that ad-block users consider switching to uBlock Origin, which does not support the $rewrite filter option and is, therefore, not vulnerable to this form of attack.

TechRepublic: 5 best password managers for Android

"Ad blocking extensions should consider dropping support for the $rewrite filter option," the researcher said. "It's always possible to abuse the feature to some degree, even if only images or style sheets are allowed to be redirected."

In a statement published after the researcher's findings went live, Adblock Plus said that the vendor is "taking this very seriously and are currently investigating the actual risk for our users to determine the best countermeasure."

Adblock Plus added that the implementation of the rewrite option, despite content security Policies, may allow some websites to execute content from third-parties -- but this kind of event is considered "very unlikely" given the firm's constant examination of filter lists and author vetting.  

CNET: How to install the Ring Video Doorbell 2

The company does not believe the problem has been exploited in the wild but is working on fixing the issue.

"We have extremely high standards for testing and quality control for every line of code we publish," the company added. "Striving for the best possible code also means that we highly appreciate being made aware of any potential vulnerabilities that we didn't spot so we can fix them as fast as possible."

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Editorial standards