There’s a serious vulnerability which affects a few popular ad blockers and could potentially allow for all manner of nastiness to be inflicted.
According to Armin Sebastian, the flaw is present in Adblock, Adblock Plus and uBlock, and pertains to a new filter option introduced by Adblock Plus version 3.2 in July 2018, which was subsequently adopted by the other ad blocking extensions (uBlock is also owned by Adblock, in case you were wondering, and is unrelated to uBlock Origin).
The new filter option in question is for rewriting requests, and is essentially used to remove tracking data and prevent adverts from getting around being blocked. However, Sebastian notes that: “Under certain conditions the $rewrite filter option enables filter list maintainers to inject arbitrary code in web pages.”
- We've chosen all the best web browsers
- Google Chrome now blocks fake ads off the bat
- How to fix Google Chrome
What’s rather worrying is that this feature is described as “trivial” to exploit, and could have widespread impact given that the aforementioned ad blockers have in excess of 100 million active users.
Someone exploiting this hole in the filter system could engage in all sorts of malicious activity, such as pilfering your online logins, for example.
The security researcher further observed that the exploit can be leveraged across all major browsers, and with web services that fit certain criteria detailed in his blog post (opens in new tab). That includes Google services such as Gmail, Maps, and Google Images.
Sebastian says: “Please note that the vulnerability is not limited to Google services, other web services could be affected as well.”
He has contacted Google regarding the vulnerability, but was told by the company that the flaw was ‘intended behavior’ when it comes to its services – in other words, this is an issue for the makers of the ad blockers to sort out, and nothing to do with Google.
Sebastian believes this is an unfortunate conclusion to reach, and points out that the problem isn’t just about flaws in the ad blocking browser extensions, but also web service vulnerabilities, all of which are chained together to allow the exploit.
Adblock Plus, meanwhile, has acknowledged the issue, although the company couches the exploit in very different terms, describing it as “non-trivial” to exploit – in direct opposition to what the security researcher believes – and underlining that it will only work for some websites.
Still, Adblock Plus admits (opens in new tab) it’s a serious matter, and that “despite the actual risk being very low, we have decided to remove the rewrite option and will accordingly release an updated version of Adblock Plus as soon as technically possible.”
The company adds: “We are doing this as a measure of precaution. There has not been any attempt of abusing the rewrite option and we will do everything we can to ensure this won’t happen.”
While the risk may (or may not) be low, as Adblock Plus claims, the stakes have doubtless got a bit higher now that the exploit is public knowledge.
So, until a new updated version of Adblock Plus (and presumably the other ad blockers affected by the flaw) is released, what can you do in the meantime?
Sebastian advises that users might want to consider switching to uBlock Origin, which doesn’t have the $rewrite filter option, and so is in the clear – at least until the issue has been sorted with the affected ad blocking extensions.