Can Your Adblocker Extension Execute Malicious Code? Yes, It Can

Adblock Plus Vulnerability

Here's a controversial topic for you – ads and the internet. Many of the online services and websites we use every day are available to us completely free of charge. Operating these services is anything but free, though. In fact, the people that run them put a lot of money and effort into them, and more often than not, the ads they display on the pages are the only way to make a return on their investments. On the other hand, ads are, for the most part, quite annoying, and they can even be dangerous which is why security specialists advise you to consider using an ad-blocking extension on all your browsers.

How do adblockers work?

On the face of it, adblockers seem to be fairly lightweight, unobtrusive plugins that work quietly in the background to give you a more enjoyable online experience. Their inner workings aren't especially complex, either.

When you're trying to view a webpage, the ad-blocking extension goes through its source code and blocks all known ad-related scripts and URLs. To identify them, it uses blacklists which are updated on a regular basis.

The end result is that you're deprived of the opportunity to take a personality quiz that can tell you what type of guacamole you are. You also get to avoid annoying and potentially dangerous ads.

Not everyone is happy, though. The fact that you're not seeing any ads means that some people's paychecks are under threat, and they will do whatever they can to ensure that their ads find their way around your adblocker. Every now and again, they manage to do it which means that adblockers must adapt.

Last year, for example, Adblock Plus, one of the most popular adblocking extensions, incorporated a new $rewrite filter option that is designed to block cleverly positioned video ads and tracking mechanisms that appear on some websites. Shortly after, AdBlock and uBlock (not to be confused with uBlock Origin), two other extensions based on Adblock Plus, implemented the same filter option. Everything was fine until last week when an independent security researcher by the name of Armin Sebastian discovered a vulnerability in the $rewrite functionality.

A code execution vulnerability in Adblockers' $rewrite function

The core function of the $rewrite filter option is to block ads and tracking data by redirecting requests. This, in and of itself, can present some problems which is why for security reasons, the extension's developers designed the option to allow a limited type of redirects. Armin Sebastian discovered, however, that under some circumstances, certain web services can be exploited to run arbitrary code thanks to the $rewrite option.

There are a few conditions, it must be said. The web service in question must use either XMLHttpRequest or Fetch to execute code, and the origin of the code must be configured in a certain way. The lack of a Content Security Policy (CSP) or a validation of the request URL before executing the code is also a prerequisite.

Based on all this, you might argue that there are quite a few stars that need to align perfectly for the attack to work, but according to Armin Sebastian, successfully exploiting the bug is "trivial".

There are two contributing factors that make the vulnerability particularly scary. The first one is the sheer number of people using the vulnerable adblockers. As we mentioned already, Adblock Plus is among the most popular extensions of this type, and when you add its userbase to the number of people that have installed the other two plugins, you'll see that we're looking at hundreds of millions of potential targets.

What's more, some pretty popular web services fit the bill for exploitation, including Google's Maps and Gmail, and since we're talking about code execution, the range of possible attacks is basically limitless. The bug can be configured to work only with specific IP addresses which means that it can be used in highly targeted attacks as well as in large-scale spray-and-pray campaigns.

Adblock Plus: "It's not such a big deal, but we're fixing it anyway".

The fact that Google Maps and Gmail can be exploited prompted Armin Sebastian to contact the search engine giant before publishing his research. Google's security team told him, however, that they're not willing to review the problem because according to them, it's rooted in the adblocking extensions, not the web services.

Adblock Plus' developers were also a bit skeptical. In their initial response, they said that the scenario is "very unlikely" because they regularly examine filter lists and vet all contributors who add to these lists. Nevertheless, they said that they'd try to work out a solution, and on Saturday, they announced that the vulnerability had been patched in the extension's latest version.

AdBlock's social media team told concerned users that they're working on a fix, but they haven't officially announced its release. uBlock's developers, on the other hand, haven't discussed the problem at all.

We all know that many users don't like updates, but we also see that security researchers find vulnerabilities in even the simplest apps and plugins day in, day out. That's why, as annoying and painful as they are, the automatic updates on all your software must be turned on at all times.

April 22, 2019

Leave a Reply