[German]The Adblock Plus extension (or it’s filters) used in browsers can be misused to inject malware or manipulated what’s displayed. This is difficult to detect, says a security researcher who has now now publicy disclosed this vulnerability. Eyeo, the developer of Adblock Plus has announced to remove the risky feature.
(Source: Pexels Markus Spiske CC0 Lizenz)
Security researcher Armin Sebastian has discovered the potential vulnerability in the Adblock Plus filters through the redirect, which he has described in detail here. Under certain conditions, the $rewrite filter option allows filter list maintainers to insert arbitrary code into web pages.
The affected Adblocker extensions for browsers have more than 100 million active users. On the other hand, the redirect function is trivial. Any complex web service, including Google services, can be attacked. On the other hand, attacks are difficult to detect and detection functions can hardly be implemented in all common browsers.
Armin Sebastian writes that he disclosed the information and details of the exploit chain ‘Given the nature and impact of the vulnerabilities uncovered and given the fact that in the past filter lists were used for politically motivated attacks’. He expressed the hope that this will ensure the fastest possible remedies in the affected browser extensions and web services.
The $rewrite filter option is used by some ad blockers to remove tracking data and block ads by redirecting requests. The option allows rewriting only within the same origin, and requests of types SCRIPT, SUBDOCUMENT, OBJECT, and OBJECT_SUBREQUEST are not processed.
Armin Sebastian writes, however, that Web services can be used with the help of this filter option when downloading code snippets for execution with XMLHttpRequest or Fetch, while requests of any origin are allowed and a server-side open redirect is provided.
On the other hand, the extensions update the filters regularly, with the intervals being defined by the filter list operators. Attacks are difficult to detect because the filter list creator can define a short expiration time. This would briefly activate the list of malicious filters and then replace it with a benign filter list – the tracks would be blurred. This allows attacks on companies and individuals based on IP addresses, from which the filter list updates are requested.
Armin Sebastian has given the following conditions, which must be fulfilled for a successful manipulation attempt:
- The page must load a JS string via XMLHttpRequest or Fetch and execute the returned code.
- The page must not restrict the origin from which it can retrieve using Content Security Policy instructions, or it must not validate the final URL of the request before executing the downloaded code.
- The source of the downloaded code must have a server-side open redirection or contain any user content.
The organizations that maintain filter lists can then provide such a rule update, which might look like this:
The above rule forwards the target query to Google’s search service I’m Feeling Lucky, which is then redirected to a page with the user data: alert(document.domain).
Armin Sebastian says, he has reported the vulnerability to Google – but they write that this redirect is a deliberate behaviour and have closed the ‘case’ because it does not pose a security problem. I’m not too involved in the topic, but the argumentation of the security researcher makes sense to me.
Within it’s blog article Armin Sebastian gives more hints and explains details. He recommends Adblock Plus to remove the $rewrite filter function. Users can also switch to uBlock Origin, which does not support the $rewrite filter option and is not vulnerable to the described attack. Bleeping Computer has published some additional information and examples.
A quick reaction from Adblock Plus vendor
The introduction of the $rewrite option is explained by a greater control of filtering. The vendor considers exploiting the vulnerability to be ‘difficult’, as attackers need access to the filter lists to update. There has also been no attempt to abuse it. The vendor admits, that he was aware of the security concerns regarding this feature. Therefore, this has been discussed in detail and restrictions has been set up to minimize risks. Although the vendor sees the risk as very low, it was decided to remove the $redirect filter option and release an updated version of Adblock Plus as soon as possible.