AdBlock, AdBlock Plus, uBlock Filter Vulnerability Allows Arbitrary Code Injection in Browsing Sessions: Researcher

A new alleged vulnerability has been discovered, this time in AdBlock, AdBlock Plus, and uBlock extensions. The vulnerability exists in a filter for rewriting requests (called $rewrite filter) that was introduced in AdBlock Plus first in July last year with v3.2. Under certain conditions the $rewrite filter option apparently enables filter list maintainers to inject arbitrary code in webpages. A malicious filter author can steal online credentials, tamper sessions, or redirect pages using this vulnerability.

Security researcher Armin Sebastian discovered the vulnerability, and he claims that the problem was introduced with the $rewrite filter option that was introduced last year. This filter allows ad blockers to remove tracking data, prevent forced ads by websites, and block circumvention attempts. The $rewrite filter option allows rewrites only within the same origin, and requests of SCRIPT, SUBDOCUMENT, OBJECT, and OBJECT_SUBREQUEST types are not processed.

However, under certain conditions, the Web servers can be exploited. These conditions include that the page must load a JS string using XMLHttpRequest or Fetch and execute the returned code, and the page must not restrict origins from which it can fetch using Content Security Policy directives, or it must not validate the final request URL before executing the downloaded code. The origin of the fetched code must also have a server-side open redirect or it must host arbitrary user content. If these conditions are met with, then malicious filter authors can inject malicious code. The researcher says that Gmail and Google Images also meet these listed conditions to be exploitable, and he even demoed how the security flaw could be triggered using Google Maps.

The $rewrite filter option is available on AdBlock Plus, AdBlock, and uBlock; and together they have more than 100 million active users, Sebastian claims. He adds that the vulnerability is "trivial to exploit", and can be used to attack any sufficiently complex Web service, including Google services. He added these attacks are said to be "difficult to detect and are deployable in all major browsers."

As a temporary workaround, Sebastian advises users to switch to uBlock Origin as it does not support the $rewrite filter option and it is not vulnerable to the described attack. He also advices ad blocking extensions to drop support for the $rewrite filter option.