Adblock(Plus), uBlock Filters Can Be Exploited to Run Malicious Code

P4-630 · Apr 16, 2019

An exploit has been discovered that could allow ad blocking filter list maintainers for the Adblock Plus,
AdBlock, uBlock and uBlocker browser extensions to create filters that inject remote scripts into web sites.
With ad blockers having a a user base of over 10 million installs, if malicious scripts were injected it would have a huge impact as they could perform unwanted activity such as stealing cookies,
login credentials, causing page redirects, or other unwanted behavior.

https://www.bleepingcomputer.com/ne...lters-can-be-exploited-to-run-malicious-code/

UBlock Origin seems unaffected as it doesn't use the $rewrite-function.
https://tweakers.net/nieuws/151612/...rs-zijn-te-misbruiken-voor-code-injectie.html

Vayra86 · Apr 16, 2019

Another reason to get Ublock Origin, its not like the alternatives were that great to begin with.

FreedomEclipse · Apr 16, 2019

good thing i switched to Ublock Origin a long time ago. I made the switch when adblock started taking payments to allow ads from certain companies or on certain websites -- Nope. I use an adblocker to block ads not carry on allowing them to pop up.

SoNic67 · Apr 16, 2019

I recommend using a Pi to run the home DNS server "PiHole". It can use the Ublock Origin lists and many others.

Vayra86 · Apr 16, 2019

FreedomEclipse said:
good thing i switched to Ublock Origin a long time ago. I made the switch when adblock started taking payments to allow ads from certain companies or on certain websites -- Nope. I use an adblocker to block ads not carry on allowing them to pop up.

Yeah that sealed the deal for me too, I used to have ABP until they announced that. Its so fundamentally wrong for an adblocker to start accepting payments to filter certain things and allow others.

Sybaris_Caesar · Apr 16, 2019

Seriously the guy developing uBlock Origin is awesome. Presence is almost every browser out there and he/she doesn't even take a dime. He doesn't even wanna take donation so as to not get attached to what he considers a hobby. I'm gonna be sad the day he abandons it

taz420nj · Apr 19, 2019

SoNic67 said:
I recommend using a Pi to run the home DNS server "PiHole". It can use the Ublock Origin lists and many others.

It uses some of the same domain lists, but PiHole and uBO are two entirely different animals that complement each other. Most of uBO's lists by their nature do not work in PiHole. PiHole is a DNS blocker that can only block whole domains, while uBO is an element blocker - it can block certain elements from a particular domain while allowing others. This is why uBO can block for example inline ads on Youtube while PiHole can not.

lexluthermiester · Apr 19, 2019

P4-630 said:
https://www.bleepingcomputer.com/ne...lters-can-be-exploited-to-run-malicious-code/

I believe that's been patched. The makers of AdBlock were informed before public disclosure to give them run-up time to fix it.

Khonjel said:
I'm gonna be sad the day he abandons it

They'll open source it first.

Robotics · Apr 20, 2019

So another reason to use Brave.

ZeDestructor · Apr 20, 2019

lexluthermiester said:
They'll open source it first.

It's already open-source (GPLv3-licensed too) and there's at least one guy with relatively sizeable contributions:

https://github.com/gorhill/uBlock/ (don't mind the repo name, this is the proper uBlock Origin repo and completely unaffiliated with uBlock)

dj-electric · Apr 20, 2019

Imagine if there was a browser, that was like incredibly fast, free and has a built in blocker for ads and tracking.
Imagine if the founder of Mozilla would make such thing and call it like "brave" or something, and using it will make Chrome and FF look like a joke

Robotics · Apr 20, 2019

dj-electric said:
Imagine if there was a browser, that was like incredibly fast, free and has a built in blocker for ads and tracking.
Imagine if the founder of Mozilla would make such thing and call it like "brave" or something, and using it will make Chrome and FF look like a joke

Not the same. One of them has a 3. party and the other has already built in its own engine source when it was established.

lexluthermiester · Apr 20, 2019

ZeDestructor said:
It's already open-source (GPLv3-licensed too) and there's at least one guy with relatively sizeable contributions:

https://github.com/gorhill/uBlock/ (don't mind the repo name, this is the proper uBlock Origin repo and completely unaffiliated with uBlock)

Fair enough. Wondered about that but wasn't sure.

Eskimonster · Apr 20, 2019

THX, changed to ublock.

Final_Fighter · Apr 20, 2019

nice catch, thanks for the heads up!

vega22 · Apr 20, 2019

Any plugin you use with your browser could be exploited....

lexluthermiester · Apr 20, 2019

vega22 said:
Any plugin you use with your browser could be exploited....

Not easily. This has to do with the way plugin are run by the browser.

vega22 · Apr 21, 2019

lexluthermiester said:
Not easily. This has to do with the way plugin are run by the browser.

If you wanted to create it to leave a backdoor, it's easy.

You need to be weary of all plugins you use. People can just be too trusting of software devs.

lexluthermiester · Apr 21, 2019

vega22 said:
If you wanted to create it to leave a backdoor, it's easy.

While that is true, the plugin vulnerability would soon be discovered and removed. Additionally, it is a serious crime in most countries to deliberately engineer such a backdoor into software.

vega22 · Apr 21, 2019

Go talk to Intel about that.

Or belkin, or a whole host of other companies that left exploits open for the alphabet agencies dude.

Not hard to deny it, even harder to prove it was deliberately put in place :/

ZeDestructor · Apr 24, 2019

vega22 said:
Go talk to Intel about that.

Or belkin, or a whole host of other companies that left exploits open for the alphabet agencies dude.

Not hard to deny it, even harder to prove it was deliberately put in place :/

Why deliberately engineer a backdoor in when it's easier to just find one in there from careless devs? People exploit vulns perfectly well enough without needing to spend lots of time and effort crafting malicious code that need to go through code review, fuzzing and a whole host of security-related layers, and reveal specific sources.

Vayra86 · Apr 24, 2019

ZeDestructor said:
Why deliberately engineer a backdoor in when it's easier to just find one in there from careless devs? People exploit vulns perfectly well enough without needing to spend lots of time and effort crafting malicious code that need to go through code review, fuzzing and a whole host of security-related layers, and reveal specific sources.

This is actually usually how it goes. Backdoors aren't built, they're just left open and the key is passed on to someone who knows how to keep a secret. Everybody happy and none the wiser... until it comes out.

ZeDestructor · Apr 24, 2019

Vayra86 said:
This is actually usually how it goes. Backdoors aren't built, they're just left open and the key is passed on to someone who knows how to keep a secret. Everybody happy and none the wiser... until it comes out.

And that's why we like open-source software and tools like fuzzers and so on: it lets us find and fix those vulns faster and easier. Usually, anyways...

Overall the NSA, CIA and friends' intrusion teams (seem to) work independently from the defensive teams and the more conscientious parts of the industry and tell nothing. The defensive side, on the other hand do their damnedest to get info to devs for fixes to come out ASAP... to varying degrees of success depending on the vendor.

SoNic67 · Apr 24, 2019

Usually a junior dev can afford to work for free.
But after a while live gets in the way and he needs to work to pay bills. At that point, if is good, is recruited by any of the "evil" companies.
So all in all the open software people are not better than the "other" people, because... they evolve in them. That's life.

R-T-B · Apr 24, 2019

lexluthermiester said:
Additionally, it is a serious crime in most countries to deliberately engineer such a backdoor into software.

Actually, I'm unaware of any actual laws against it, provided such backdoor was not made with malicious intent.

SoNic67 said:
So all in all the open software people are not better than the "other" people, because... they evolve in them. That's life.

Tell that to Stallman & Linus. I think they must've missed your memo.

SoNic67 said:
At that point, if is good, is recruited by any of the "evil" companies.

Also kinda false because you HAVE to be good to get an open source project of any scale to accept a commit. They are generally C, which is a helluva language, and have submission standards that make my eyes water today.

Vayra86 said:
Backdoors aren't built,

A "backdoor" is by definition, an intentionally engineered back entrance. They aren't just bugs. So of course they are intentional, what might be unintentional is leaving them in the final retail build...

System Name	AlderLake
Processor	Intel i7 12700K P-Cores @ 5Ghz
Motherboard	Gigabyte Z690 Aorus Master
Cooling	Noctua NH-U12A 2 fans + Thermal Grizzly Kryonaut Extreme + 5 case fans
Memory	32GB DDR5 Corsair Dominator Platinum RGB 6000MT/s CL36
Video Card(s)	MSI RTX 2070 Super Gaming X Trio
Storage	Samsung 980 Pro 1TB + 970 Evo 500GB + 850 Pro 512GB + 860 Evo 1TB x2
Display(s)	23.8" Dell S2417DG 165Hz G-Sync 1440p
Case	Be quiet! Silent Base 600 - Window
Audio Device(s)	Panasonic SA-PMX94 / Realtek onboard + B&O speaker system / Harman Kardon Go + Play / Logitech G533
Power Supply	Seasonic Focus Plus Gold 750W
Mouse	Logitech MX Anywhere 2 Laser wireless
Keyboard	RAPOO E9270P Black 5GHz wireless
Software	Windows 11
Benchmark Scores	Cinebench R23 (Single Core) 1936 @ stock Cinebench R23 (Multi Core) 23006 @ stock

System Name	Tiny the White Yeti
Processor	7800X3D
Motherboard	MSI MAG Mortar b650m wifi
Cooling	CPU: Thermalright Peerless Assassin / Case: Phanteks T30-120 x3
Memory	32GB Corsair Vengeance 30CL6000
Video Card(s)	ASRock RX7900XT Phantom Gaming
Storage	Lexar NM790 4TB + Samsung 850 EVO 1TB + Samsung 980 1TB + Crucial BX100 250GB
Display(s)	Gigabyte G34QWC (3440x1440)
Case	Lian Li A3 mATX White
Audio Device(s)	Harman Kardon AVR137 + 2.1
Power Supply	EVGA Supernova G2 750W
Mouse	Steelseries Aerox 5
Keyboard	Lenovo Thinkpad Trackpoint II
VR HMD	HD 420 - Green Edition ;)
Software	W11 IoT Enterprise LTSC
Benchmark Scores	Over 9000

System Name	WorkInProgress
Processor	AMD 7800X3D
Motherboard	MSI X670E GAMING PLUS
Cooling	Thermalright AM5 Contact Frame + Phantom Spirit 120SE
Memory	2x32GB G.Skill Trident Z5 NEO DDR5 6000 CL32
Video Card(s)	Gainward RTX 4070Ti Phantom Reunion (The54thvoid Edition)
Storage	WD SN770 1TB (Boot)\|1x WD SN850X 8TB (Gaming)\| 2x2TB WD SN770\| 2x2TB+2x4TB Crucial BX500
Display(s)	LG GP850-B
Case	Corsair 760T (White) {1xCorsair ML120 Pro\|5xML140 Pro}
Audio Device(s)	Yamaha RX-V573\|Speakers: JBL Control One\|Auna 300-CN\|Wharfedale Diamond SW150
Power Supply	Seasonic Focus GX-850 80+ GOLD
Mouse	Logitech G502 X
Keyboard	Cherry G80-3000N (TKL)
Software	Windows 11 Home
Benchmark Scores	ლ(ಠ益ಠ)ლ

System Name	Tiny the White Yeti
Processor	7800X3D
Motherboard	MSI MAG Mortar b650m wifi
Cooling	CPU: Thermalright Peerless Assassin / Case: Phanteks T30-120 x3
Memory	32GB Corsair Vengeance 30CL6000
Video Card(s)	ASRock RX7900XT Phantom Gaming
Storage	Lexar NM790 4TB + Samsung 850 EVO 1TB + Samsung 980 1TB + Crucial BX100 250GB
Display(s)	Gigabyte G34QWC (3440x1440)
Case	Lian Li A3 mATX White
Audio Device(s)	Harman Kardon AVR137 + 2.1
Power Supply	EVGA Supernova G2 750W
Mouse	Steelseries Aerox 5
Keyboard	Lenovo Thinkpad Trackpoint II
VR HMD	HD 420 - Green Edition ;)
Software	W11 IoT Enterprise LTSC
Benchmark Scores	Over 9000

System Name	SYBARIS
Processor	AMD Ryzen 5 3600
Motherboard	MSI Arsenal Gaming B450 Tomahawk
Cooling	Cryorig H7 Quad Lumi
Memory	Team T-Force Delta RGB 2x8GB 3200CL16
Video Card(s)	Colorful GeForce RTX 2060 6GV2
Storage	Crucial MX500 500GB \| WD Black WD1003FZEX 1TB \| Seagate ST1000LM024 1TB \| WD My Passport Slim 1TB
Display(s)	AOC 24G2 24" 144hz IPS
Case	Montech Air ARGB
Audio Device(s)	Massdrop + Sennheiser PC37X \| Koss KSC75
Power Supply	Corsair CX650-F
Mouse	Razer Viper Mini \| Cooler Master MM711 \| Logitech G102 \| Logitech G402
Keyboard	Drop + The Lord of the Rings Dwarvish
Software	Tiny11 Windows 11 Education 24H2 x64

System Name	Diablo \| Baal \| Mephisto
Processor	Ryzen 9800X3D \| 2x Xeon E5-2697v4 \| i7-13900H
Motherboard	ASRockRack B650D4U-2L2T/BCM \| Supermicro X10DRH-iT \| Lenovo Thinkpad P1 Gen 6
Cooling	Custom loop \| SC846 Chassis cooled\| dual-fanned heatpipes with LM
Memory	64GiB DDR5-5600 ECC \| 256GiB DDR4-3200 ECC RDIMM \| 64GiB DDR5-5600
Video Card(s)	RTX 3090 Ti Founder's Edition \| Embedded ASPEED2400 \| RTX 5000 Ada Mobile (80W)
Storage	many, many SSDs and HDDs....
Display(s)	Dell U3014 + Dell U3011 \| SMCI IPMI KVMoIP \| 3840×2400 Samsung OLED
Case	Caselabs TH10A \| Supermicro SC846 \| Lenovo Thinkpad P1 Gen 6
Audio Device(s)	Creative SoundBlaster X4 \| None \| On-board + Moondriver2 Ti + Bluetooth
Power Supply	Corsair AX1600 \| 1200W PSU (Delta) \| Lenovo 230W or 300W
Mouse	Logitech G604
Keyboard	1985 IBM Model F 122-key, Lenovo integrated
VR HMD	The wait for 4K per eye is long and winding....
Software	FAAAR too much to list

System Name	Iglo
Processor	5800X3D
Motherboard	TUF GAMING B550-PLUS WIFI II
Cooling	Arctic Liquid Freezer II 360
Memory	32 gigs - 3600hz
Video Card(s)	EVGA GeForce GTX 1080 SC2 GAMING
Storage	NvmE x2 + SSD + spinning rust
Display(s)	BenQ XL2420Z - lenovo both 27" and 1080p 144/60
Case	Fractal Design Meshify C TG Black
Audio Device(s)	Logitech Z-2300 2.1 200w Speaker /w 8 inch subwoofer
Power Supply	Seasonic Prime Ultra Platinum 550w
Mouse	Logitech G900
Keyboard	Corsair k100 Air Wireless RGB Cherry MX
Software	win 10
Benchmark Scores	Super-PI 1M T: 7,993 s :CinebR20: 5755 point GeekB: 2097 S-11398-M 3D :TS 7674/12260

Processor	ryzen 5 5600x
Motherboard	AB350m Pro4
Cooling	custom loop
Memory	TEAMGROUP T-Force TXKD416G3600HC18ADC01 16gbs XMP
Video Card(s)	HP GTX1650 super 4gb
Storage	MZVLB256HBHQ-000H1 PM981a (256GB)/3TB HDD
Display(s)	Nitro XF243Y Pbmiiprx
Case	Rosewill CULLINAN
Audio Device(s)	onboard
Power Supply	Corsair 750w
Mouse	Best Buy Insignia
Keyboard	Best Buy Insignia
Software	Win 10 pro

System Name	panda
Processor	6700k
Motherboard	sabertooth s
Cooling	raystorm block<black ice stealth 240 rad<ek dcc 18w 140 xres
Memory	32gb ripjaw v
Video Card(s)	290x gamer<ntzx g10<antec 920
Storage	950 pro 250gb boot 850 evo pr0n
Display(s)	QX2710LED@110hz lg 27ud68p
Case	540 Air
Audio Device(s)	nope
Power Supply	750w superflower
Mouse	g502
Keyboard	shine 3 with grey, black and red caps
Software	win 10
Benchmark Scores	http://hwbot.org/user/marsey99/

System Name	Pioneer
Processor	Ryzen 9 9950X
Motherboard	MSI MAG X670E Tomahawk Wifi
Cooling	Noctua NH-D15 + A whole lotta Sunon, Phanteks and Corsair Maglev blower fans...
Memory	128GB (4x 32GB) G.Skill Flare X5 @ DDR5-4200(Running 1:1:1 w/FCLK)
Video Card(s)	XFX RX 7900 XTX Speedster Merc 310
Storage	Intel 5800X Optane 800GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs, 1x 2TB Seagate Exos 3.5"
Display(s)	55" LG 55" B9 OLED 4K Display
Case	Thermaltake Core X31
Audio Device(s)	TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply	FSP Hydro Ti Pro 850W
Mouse	Logitech G305 Lightspeed Wireless
Keyboard	WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software	Gentoo Linux x64, other office machines run Windows 11 Enterprise

Adblock(Plus), uBlock Filters Can Be Exploited to Run Malicious Code

~Technological Technocrat~