With some of the features introduced in Adblock Plus last year and some related content blocking browser extensions, providers of filtering lists under certain conditions can execute arbitrary code on web pages.
Adblock Plus v3.2 for Chrome, Firefox and Opera, launched in July 2018
$ Rewrite Filter options can change the filter rules that determine whether content is blocked. The rationale for doing so is that there may be times when it's better to redirect rather than block the web request.
$ Rewrite Filters provide a way to remove tracking data from URLs. As an example, you can avoid Google Accelerated Mobile Pages (AMP). Last year, Adblock Plus developer Hubert Figuiere said, "AMP can only be redirected to non-AMP pages because it is used only to advertise and track the web to make it better.
Other content blocking extensions with names that are confusingly similar, such as AdBlock and uBlock (owned by AdBlock and not related to uBlock Origin)
$ Rewrite option. This directive allows you to selectively rewrite URL parameters from the third-party maintenance filter list.
According to Sebastian, web pages are vulnerable under certain conditions.
fetch Run the returned code. The source of the imported code can have a server-side open redirection or host arbitrary user content if content security policy directives or URL validation can not be used to limit the origin of that domain.
In this case, the untrusted file list data provider may contain malicious filter strings that execute arbitrary code.
Monday's developer, Armin Sebastian, found the issue, and in a blog post he told Google about potential vulnerabilities, but said he thought the company intended to act rather than bug.
Adblock Plus Enrollment "We are taking this very seriously and we are investigating the actual risks that the current user will determine the best response."
In its statement, Adblock Plus
$ Rewrite "Has been added so that filter list creators can effectively block attempts by websites to force them to send ads to visitors who use ad breakers."
"A new feature is a fundamental change that understands how ad blockers work," Sebastian said in a Twitter conversation. Enrollment.
"In the past, it was the worst case for a malicious filter list provider to block access to a site – it would have been a minor annoyance that the site could not be easily accessed.
$ Rewrite The filter option enables account hijacking and external infiltration of personal data when associated with other security issues in the Web service. This is a significant leap in the way that users operate the ad blocker. "
Sebastian did not know if anyone had abused the filtering list, but he said manipulation was hard to detect. "This method can deliver per-request payloads, and it can be targeted, exploited and removed from the extension storage without having to publish the payload as part of the public filter list," he said.
Reason for Concern
Last year, Raymond Hill, a rival content creator who prevented the uBlock Origin extension,
$ Rewrite For security reasons. In particular, sites like GitHub were concerned that the same origin restriction would not be enough because they could have the same origin (github.com) and different people could control the content of different pages.
"Even if a malicious filter list creator uses strictly the same source, it can add a bad element to a network request," he said.
Query strip This removes the URL query parameters, but does not rebuild them.
Netizens screamed in the Chrome Developer Block with bloodshed. Google employees assert:
Email recipients: Enrollment"Exploits can lead to malicious scenarios, especially if the filter list that is affected by the affected breaker is a filter list, [Sebastian’s post] You need to consider users based on the way they present possibilities and the way that you personally determine trust. "
$ Rewrite Despite the content security policy settings, "A specific website can interpret and execute third-party plain text as code."
The company believes Adblock Plus identifies authors who contribute to creating filter lists that are enabled by default and regularly reviews the filter list, so it is unlikely to exploit them and no malicious attempts have been found.
"We are still aware that there is still a Web site that can use the day option to run malicious software and we are responsible for protecting the user from such an attack."
Adblock Plus can restrict all filter lists to https (for the current default active list), in addition to the additional restrictions that you need to consider for $ rewrite.
Sebastian is in danger
connect-src Omit the CSP header or omit server-side open redirection.
Enrollment I've asked Google to confirm that it does not appear to be a security issue with Chrome, but I have not yet responded.
Become a practical security leader