New to Busy?

// NEWS // A Flaw in Ad Blockers Can Execute Arbitrary Code


5 months agoSteemit3 min read

It is possible to create filters that can execute malicious Javascript code on users' computers. No update is envisaged for the moment.


The info

Security researcher Armin Sebastian found a flaw in the Adblock Plus, Adblock and uBlock operation. Since 2018, these extensions can rely on the "$ rewrite" option, which allows a filter to modify HTTP requests. Guardrails have been put in place to prevent this option from being exploited to execute malicious code.

The following criteria must be met for a web service to be exploitable using this method:

  • The page must load a JS string using XMLHttpRequest or Fetch and execute the returned code
  • The page must not restrict origins from which it can fetch using Content Security Policy directives, or it must not validate the final request URL before executing the downloaded code
  • The origin of the fetched code must have a server-side open redirect or it must host arbitrary user content

But it turns out that it is not enough. On some websites, it is still possible to execute malicious Javascript code. The researcher proved this by relying on a well-known site: Google Maps. In his example, the "pirate" filter brings up a Javascript warning window.

Bleeping Computers

What does this entail

Advertising blocker filters come from different sources and are collaboratively created by volunteers. It would be enough for one of these volunteers to introduce a malicious filter into the filter lists to be able to execute code on many users’ computer.

Alerted by the researcher, Google believes that the risk is not large enough to justify a modification of its mapping site.
A conclusion that the researcher does not share. He recommends using the uBlock Origin extension, which does not include the "$ rewrite" option.

Sources: Armin Sebastian blog note, Bleeping Computers

Stay Informed, Stay Safe




Sort byBest