Adblock Plus filters can be abused to execute malicious code in browsing sessions

[The AchieVer]

Adblock Plus filters can be abused to execute malicious code in browsing sessions

The vendor was not aware of the problem until public disclosure.

 

 

Adblock Plus wins legal battle against German media powerhouse

 

An exploit has been uncovered in the filter systems of Adblock, Adblock Plus, and uBlock which may permit attackers to remotely inject arbitrary code into web pages.

 

Security researcher Armin Sebastian said in a blog post on Monday that the issue lies within version 3.2 of the Adblock Plus software which introduced a new filter option for rewriting requests in 2018.

 

This feature, also adopted by AdBlock and uBlock, is vulnerable to a security flaw deemed "trivial" to exploit by Sebastian, and the issue could potentially be leveraged in attacks including the theft of online credentials, session tampering, or page redirection.

 

According to the researcher, as the impacted extensions account for over 100 million monthly active users, the security flaw may have a massive impact if exploited in the wild by a malicious filter author.

 

"The feature is trivial to exploit in order to attack any sufficiently complex web service, including Google services, while attacks are difficult to detect and are deployable in all major browsers," Sebastian says.

 

Filter lists are core components of ad blocking software as they provide a repository of URLs which are considered to be suspicious, malicious, or related to advertising. When an ad blocker is installed on a browser, while users are surfing the web, the software accesses these lists and prevents such content from loading.

 

The problem lies in the $rewrite filter option, a feature introduced last year. $rewrite is used by some ad blockers to block circumvention attempts, remove tracking data, and to prevent websites from forcing ads on visitors using blocking software.

 

Rewrites, however, can only take place within the same domain as an original request, and SCRIPT, SUBDOCUMENT, OBJECT, and OBJECT_SUBREQUEST request types are not accepted.

 

 

Source

[halvgris]

this is why you should use pi-hole on a separate device.

pi-hole.net