Attackers could put arbitrary code into web pages, researcher warns
A vulnerability in the world’s leading ad blocker, Adblock Plus, could allow an attacker to execute arbitrary code into web pages by exploiting a recently introduced feature.
The issue could allow for an attacker to leverage filter lists in order to steal information or redirect page requests, according to security researcher Armin Sebastian.
AdBlock Plus, which has over 10 million users according to the Chrome web store, introduced the new filter option in v3.2, released in July 2018 for all major browsers.
“Under certain conditions the $rewrite filter option enables filter list maintainers to inject arbitrary code in web pages,” Sebastian wrote in a blog post.
“The affected extensions have more than 100 million active users, and the feature is trivial to exploit in order to attack any sufficiently complex web service, including Google services, while attacks are difficult to detect and are deployable in all major browsers.”
AdBlock Plus blocks content and redirects requests for data through a filter list maintained by third-party providers such as Google.
But in certain instances, Sebastian found, filter lists can be leveraged to inject malicious scripts into a site.
These scripts could steal data such as login credentials, cookies, and cause other issues.
“Web services can be exploited with the help of this filter option when they use XMLHttpRequest or Fetch to download code snippets for execution, while allowing requests to arbitrary origins and hosting a server-side open redirect,” he said.
“Attacks are difficult to detect because the operator may set a short expiration time for the malicious filter list, which is then replaced with a benign one.
“Organizations and individuals may be targeted based on the IP addresses from which the updates are requested.”
Adblock Plus dismissed the problem as “non-trivial”, claiming it only affects certain websites, and that there is no “existing” threat to users.
“We already confirmed that no common filter lists abused this filter option,” it said.
“This means that there is no existing threat to any user of Adblock Plus.”
Adblock Plus explained that the filter feature was added in order to give authors more control and that it was working as intended.
“We were aware of security concerns regarding this feature, discussed this extensively and implemented restrictions to mitigate any risk,” it said.
“As demonstrated by Armin Sebastian now, these measures weren’t sufficient for some websites.”