Adblock Plus is the world’s most popular free advert blocker with more than 10 million users. It has extensions that run in all the major web browsers including Chrome, Edge, Firefox, Opera and Safari. It also has a security problem: a security researcher has discovered that it’s possible for Adblock Plus filter lists to inject malicious code in several Google services including Gmail, Google Images and Google Maps.
How does the exploit work?
Security researcher Armin Sebastian reports how Adblock Plus introduced a new filter option last year that enabled providers of those advert filtering lists, under certain circumstances, to execute arbitrary code. “The feature is trivial to exploit in order to attack any sufficiently complex web service, including Google services, while attacks are difficult to detect and are deployable in all major browsers” Sebastian wrote. The exploit works thanks to support for the $rewrite filter option which is used to remove tracking data and block adverts by redirecting those requests. These filter lists, maintained and operated by third party providers, determine what content is blocked when you load a web page into your browser. Rather than just block the content, sometimes the request can be redirected instead and that’s where the $rewrite option comes in. Although there are safeguards in place to prevent malicious exploitation, it is possible if the target site meets a number of technical criteria to do with redirects and how scripts are downloaded primarily. Sebastian was able to find a number of these, including sites operated by Google, and used Google Maps as proof of concept for the exploit.
What can hackers do with this?
I contacted Sebastian earlier today and he explained that “the vulnerability is present in several Google services because there is no restriction on the domains from which scripts are accepted, and the sites also host an open redirect.” While the Adblock Plus browser extension security issue has to be chained together with these vulnerabilities in the respective web services in order to produce a working exploit, the result can be pretty serious for the victim. Using Google Maps as an example, Sebastian was able to create a filter list with a rule that redirects the target request to Google’s I’m Feeling Lucky search which in turn redirects the user to the payload page; in this case just an alert. However, Sebastian also told me that he could use the same technique against Gmail. “A working exploit for Gmail has not been released because it would enable filter list publishers to read emails, reset passwords and hijack accounts for other services” he explains, all the while “hiding the malicious activity from users.” These attacks would be difficult to detect as the rogue list operator can set a short expiration time for the malicious filter and then replace it with a non-harmful one again.
What is the real-world risk?
What should you do now?
As previously mentioned, if you stick to the default filter list then the risk of compromise is very low. If you do use an alternative then ensure it is by someone who is highly trusted. Sebastian has contacted Google regarding the vulnerability but tells me “the report was closed as being intended behavior.” This would appear to be because Google sees the issue as being in the Adblock Plus extension, something Sebastian regards as an unfortunate conclusion. “The exploit is composed of a set of browser extension and web service vulnerabilities that have been chained together” he insists. In a statement posted online, a spokesperson for Adblock Plus says the attack mode is a “very unlikely scenario” as “we vet all authors who contribute to filter lists that are enabled in Adblock Plus by default” and “we examine these filter lists regularly.” That said, Adblock Plus says it takes the matter very seriously and has confirmed that no common filter lists have abused the filter option. What’s more, the statement continues “it is our responsibility to protect our users, and despite the actual risk being very low we have decided to remove the rewrite option with the next update of Adblock Plus…”