
Chrome addons hacking: Bye Bye AdBlock filters - necenzurat
http://blog.kotowicz.net/2012/03/chrome-addons-hacking-bye-bye-adblock.html?spref=tw
======
cmelbye
His tone when he talks about extensions modifying the DOM of random sites,
injecting CSS, etc was funny; almost as if they have some god-given right to
control exactly how their site will appear on my computer. As long as I
control the browser software, it's always going to be possible for me to
choose how web sites are displayed on my computer.

------
overshard
Bye bye scripting with noscript and scriptno. This is nifty but if people
don't want ads people won't have ads. As someone who makes most of his money
off of ads I understand the want to stop ad blockers but I rather just
provided a good, clean experience and when an ad is blocked put up a nice
message saying how I make my money off of ads and to please disable ad block
on my website.

This method seems intrusive to me and like an "Ah ha! I stopped your ad
blocker from working! TAKE THAT!"

~~~
rickmb
But then again, putting ads on web pages is already a matter of "Ah ha! I
fooled you into downloading ads by offering you content! TAKE THAT!"

As far as I'm concerned, putting ads on web pages has always been an intrusive
an deceitful business model to begin with. I sincerely hope that there will
come a day when advertising via ambushing consumers is no longer considered
acceptable.

~~~
loso
Most people know that when they go to a web site, if they are not paying for
it, then there is going to be ads on there. If they are put right in the open
how is that deceitful?

~~~
slowpoke
Just because that's the way it is, doesn't mean it's the way it should be.

If you know you will be ambushed and robbed on your way through the forest,
would you also say "well, that cannot be helped, people know that when they
enter the forest" (excuse me for the rather harsh analogy, it's the best I
could spontaneously come up with).

~~~
vertex-four
Sending you advertisements along with your content is _not_ the same as taking
something from you.

~~~
slowpoke
Thus my acknowledgement of the bad analogy. The point I was trying to make is
that even if you know in advance that something undesirable will happen,
that's still not a justification for said undesirable thing.

~~~
Karunamon
I respectfully disagree. I understand a good portion of hackers find the
entire concept of advertising to be distasteful, but why this melodrama?
"Ambush"? Likening it to robbery? Really..?

It's a few hundred pixel banner that's trying to convince you to buy
something. Not a requirement that you sacrifice your firstborn.

~~~
slowpoke
_> It's a few hundred pixel banner that's trying to convince you to buy
something._

Yes, and that's undesirable to a lot of people. It's distracting and,
depending on the intrusiveness of the ad(s), annoying to outright rude. It's
gotten to the point that it's hard for me to use the internet when I'm on a
computer without a decent ad-blocker. Imagine trying to read a book while a
bunch of persons are screaming inane stuff at you; that's what it feels like.

Actually, I long for the day when display goggles and computer vision have
advanced far enough for a "real-life ad-blocker". The world would be a much
better place.

I didn't intend to liken displaying ads to heinous acts of infanticide or
anything of the sort.

------
Sephr
Domain-based ad blocking rules cannot be bypassed this way in Chrome if you
are running a development build of Adblock Plus
(<https://adblockplus.org/en/development-builds>) on Chrome, which makes use
of Chrome's new WebRequest extension API.

~~~
est
This troubles me. If ad blocking can not intercept HTTP calls, why even bother
hide them?

The point of ad blocking is saving bandwidth and speed up page browsing
dramatically.

I am going to block all thirdparty javascript with WebRequet extension API.

~~~
shimon_e
All the Android ad blockers work by modifying the hosts file and null routing
ad servers.

Requires rooting and it blocks ads in everything not just the browser.

~~~
est
Not really requires rooting if you have a customized DNS server.

------
angry-hacker
The first method is also working with Firefox and Adblock Plus.

I remember once Adblock became popular, there were few sites blocking users
with Adblock, they calculated some elements height and if the Adblock blocked
the ads in that element, the height didn't match. So they disabled the whole
page and asked users to turn off Adblock or white-list them.

~~~
TheEskimo
You are incorrect. It does not bypass adblock on firefox. Yes, the ad shows,
but that's because it does not trigger any of firefox's blocking rules
(assuming Fanboy's list. I didn't check the others). He triggers chrome's by
the element of name="google_ads_try". Firefox does not block elements of that
name. Firefox's much more powerful plugin architecture allows Adblock Plus on
firefox to actually prevent ads from loading; it doesn't insert css to hide
them. As such, javascript to try and prevent css injection does absolutely
nothing against adblock plus.

As a proof of concept, visit this site (it's his modified to hit adblock
plus's Fanboy's List by adding ?bannerid=100 to the end)
<http://pastehtml.com/view/bstgyxtln.html> . Turn on and off adblock and
notice how, even though I left his anti-adblocking code in, it's helpless to
stop firefox actually blocking it.

~~~
magicalist
As Sephr notes above, I believe AdBlock Plus fully blocks resource loading in
Chrome with the WebRequest API.

[http://code.google.com/chrome/extensions/trunk/webRequest.ht...](http://code.google.com/chrome/extensions/trunk/webRequest.html)

Does anyone know why it fails here then? It looks like there might be some
other issues with the dev version, so maybe the new method of blocking just
hasn't moved into the full version of ABP for Chrome yet?

------
newman314
Having used both Firefox and Chrome, Firefox just has a much more powerful
extension model which is unfortunate. It's always seemed that Chrome
extensions was just a lite version without sufficient thought given to the
initial intercept (which would be key for plugins like adblock)

------
fab13n
I might be wrong, but it seems to me that ad blockers are mostly used by
sophisticated users who won't fall into the "you're the millionth user!" scams
anyway.

For the ad seller, the bandwidth used to serve non-dumb users is a net loss,
so non-trivial-to-install ad blockers are rather beneficial to them if they
don't download the resource at all. Even more so if they pay for the ad per
view rather than per click.

Disabling the ad blocker remains beneficial to the hosting site, though:

\- if ads are paid per view, more ads unblocked == more money;

\- if they're paid per click, ads will drive away people who never click
anyway: saved bandwidth!

~~~
jonny_eh
Not necessarily. Nearly everyone knows a savvy person like us. I've installed
Adblock on many computers belonging to less savvy people, people who might be
inclined to click on ads.

Also, not all ads are brain dead "you're the millionth user!" type. Some
(most?) are targeted to the individual. When I'm browsing with Adblock turned
off I see all sorts of ads for web services that I would genuinely consider
buying.

~~~
freehunter
When I'm doing computer services as part of my side job, I usually install
AdBlock and set the option to allow Google ads. I know there are a lot of ads
out there which are great and useful and nice and I would like to be seen, but
Google's are the only ones I know I can trust to not be large, resource
intensive Flash ads hosting malicious exploits.

------
bdg
I install adblock to make viewing content on your site bearable. No, I really
don't want to know the one weird odd tip of anything, or a flashing banner, or
something that starts talking, or these pop-under windows. I can't even use
merriam webster without adblock to lookup a word unless I want to get an audio
blast of something, a netflix pop-under, and 2-4 other tap dancing gifs
surrounding a definition. I can't even pay for an ad-free subscription to the
site.

I use adblock to make your site usable. But hey, I understand, you have to
keep up the good fight. Keep fighting your users.

~~~
gyardley
No need for the self-righteousness. The guy's a web security researcher who's
doing AdBlock users a favor by posting this stuff publicly.

If he was actually trying to screw over you rascally freeloaders, he wouldn't
be posting instructions, he'd be quietly deploying and profiting.

~~~
bdg
> self-righteousness

I think you've interpreted that as an attack on the article's OP, not the fact
that I have to use adblock to make the web usable.

------
mrchess
FYI when you go here it messes up your Adblock and turns it on for all sites.
To fix it go to adblock settings and remove the last entry from the Filter
List tab.

------
woodall
Without going too in-depth it looks like he is able to modify whatever
localStorage list AB is using. I wonder how the extension is reading said list
and if it is possible to maybe inject some code-
function(){log_all_keys_pesudo_code}- that hijacks Chrome; presuming it is
being evaled.

------
av500
Pardon my ignorance, but what would prevent ad-serving websites from totally
"inlining" the ads inside their own website html/css/js/? They could even
render ads as fonts and vectors graphics, how would an ad-blocker tell that
apart from the content part of the web page?

~~~
sdcooke
Most people use ad networks and ad networks generally don't provide a way to
get the ads on the server side. That would also be more complicated than
sticking an iframe/script tag on the page for the publisher.

If you don't want to use a network, you have to sell the ads direct yourself -
which isn't easy.

~~~
av500
I am aware that it would be more complicated, but not impossible. I guess for
the time being the percentage of blocked ads is still small, but once it gets
significant websites and ad providers will take the next step in the arms race

------
fitzpasd
I find it strange that facebook doesn't incorporate this in some manner since
it is mentioned in their IPO filing that they consider AdBlockers potentially
harmful to the business model.

------
dbcooper
The 1st bypass method works on Adblock Plus (for Chrome) too.

------
nextparadigms
I'm using the other Adblock extension. Does this affect it?

------
necenzurat
if i would and "adblock" i would use the hosts file
<http://winhelp2002.mvps.org/hosts.htm>

------
JohnQPasserby
Cannot resize text on mobile? echo kotowicz.net 0.0.0.0 >> /etc/hosts

~~~
lloeki
Chrome and Safari extensions being apparently similar, does that impact Safari
as well?

