Adblock Plus Filters Can Be Exploited to Run Malicious Code

[CyberTech]

Content source

https://www.bleepingcomputer.com/news/security/adblock-plus-filters-can-be-exploited-to-run-malicious-code/

An exploit has been discovered that could allow ad blocking filter maintainers for the Adblock Plus, AdBlock, and uBlocker ad blockers to create rules that inject remote scripts into web sites.

With a user base of over 10 million users, injecting malicious scripts would have a huge impact as the scripts would be able to perform a variety of malicious functions such as stealing cookies, login credentials, causing page redirects, or other unwanted behavior.

This is possible through the $rewrite filter option that was added to Adblocker Plus 3.2 in 2018 and then subsequently added to the AdBlock and uBlock extensions.

The $rewrite rule allows you replace a web request that matches a particular regular expression with another URL. The only caveat is that the replacement string must be a relative URL, which means it does not contain a hostname, and when rewritten must be in the same origin domain as the original request.

More information

Adblock Plus Filters Can Be Exploited to Run Malicious Code

An exploit has been discovered that could allow ad blocking filter list maintainers for the Adblock Plus, AdBlock, and uBlocker browser extensions to create filters that inject remote scripts into web sites.

www.bleepingcomputer.com

 

[Andy Ful]

Many web browser extensions = many vulnerabilities. Every extension can be exploited and there is no anti-exploit feature for extensions in web browsers. This should be taken into account by the users who installs 10 extensions to enhance security.

 

[Gandalf_The_Grey]

Many web browser extensions = many vulnerabilities. Every extension can be exploited and there is no anti-exploit feature for extensions in web browsers. This should be taken into account by the users who installs 10 extensions to enhance security.

Correct, but what do you suggest when using HC and Windows Defender?
I have added and adblocker AdGuard (extension) and Emsisoft Browser Security to all used browsers.

 

[Windows_Security]

The $rewrite rule allows you replace a web request that matches a particular regular expression with another URL. The only caveat is that the replacement string must be a relative URL, which means it does not contain a hostname, and when rewritten must be in the same origin domain as the original request.

In the 70-ties there was a popular kids-program in the Netherlands called the Fairy Tale's Newspaper at the end a wise owl told the kids to go to sleep without fear for the night.

 

[Andy Ful]

Correct, but what do you suggest when using HC and Windows Defender?
I have added and adblocker AdGuard (extension) and Emsisoft Browser Security to all used browsers.

https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/post-810214

 

[Burrito]

In the 70-ties there was a popular kids-program in the Netherlands called the Fairy Tale's Newspaper at the end a wise owl told the kids to go to sleep without fear for the night.

Yeah, but Windows_Security.... if you look closely, the wise old owl 'kept one eye open.' He didn't sleep soundly, blinking one eye open to look for danger.

Even though it's unlikely... that code would be rewritten in the same origin domain as the original request... maybe the owl is still telling all AdBlock Plus users to sleep with one eye open.

Maybe.

--------
Edit:
Since English expressions are not universally known, here is the explanation for "Sleeping with one eye open."
sleep with one eye open

 

[silversurfer]

Updated statement from Adblock Plus Blog: Adblock Plus and (a little) more: Potential vulnerability through the URL rewrite filter option