Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Browsers
Web Extensions
uBlock, I exfiltrate: exploiting ad blockers with CSS
Message
<blockquote data-quote="ForgottenSeer 92963" data-source="post: 967353"><p><strong>Privacy badger</strong></p><p></p><p>This extension might have the same vulnerabilities, but that is very unlikely because Privacy badger</p><ol> <li data-xf-list-type="ol">Only seems to have two types of rules (blocking requests or cookies only, same two options as Edge Anti-tracking has), it does not seem to have the powerful CSS and CSP rules</li> <li data-xf-list-type="ol">Only uses build-in lists (exploitation of uBO weakness was only possible by adding a custom blocklist in which the powerful CSS rules were used)</li> </ol><p>So I think you should be fine.</p><p></p><p></p><p></p><p><strong>Tip for uBlockOrigin users</strong></p><p></p><p>Only use filters which are maintained by well known trusted parties (e.g. EasyList, AdGuard, Fanboy) or use simple static syntax only (Peter Low, Squidblacklist, <a href="https://github.com/Kees1958/W3C_annual_most_used_survey_blocklist" target="_blank">Kees1958</a>). On top of this best practise, GorHill suggested a very old solution. Disable cosmetic filtering in settings and enable cosmetic filtering only for the websites you visit often. With this trick you will hit two birds with one stone: not only do you limit the options to misuse powerfull cosmetic filtering (CSS) rules, but you also use less resources (CPU time) by selectively enabling cosmetic filtering.</p><p></p><p>When you want to play it safe you could also add a disable content security policy injection rule for all websites (in My Filters tab): <a href="https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#csp" target="_blank">@@||*$csp</a></p><p>("...exception filter with empty csp option will disable all csp injections for matching page..."). I don't like my adblocker to inject javascript or mess with content security policies. You may call me paranoid, but it does not make sense to add Code Integrity Guard and AppContainer (extra) protections to Edge and on the other hand use an extension which punches a hole in these defenses. I fully understands [USER=71262]@oldschool[/USER] second thoughts on this.</p></blockquote><p></p>
[QUOTE="ForgottenSeer 92963, post: 967353"] [B]Privacy badger[/B] This extension might have the same vulnerabilities, but that is very unlikely because Privacy badger [LIST=1] [*]Only seems to have two types of rules (blocking requests or cookies only, same two options as Edge Anti-tracking has), it does not seem to have the powerful CSS and CSP rules [*]Only uses build-in lists (exploitation of uBO weakness was only possible by adding a custom blocklist in which the powerful CSS rules were used) [/LIST] So I think you should be fine. [B]Tip for uBlockOrigin users[/B] Only use filters which are maintained by well known trusted parties (e.g. EasyList, AdGuard, Fanboy) or use simple static syntax only (Peter Low, Squidblacklist, [URL='https://github.com/Kees1958/W3C_annual_most_used_survey_blocklist']Kees1958[/URL]). On top of this best practise, GorHill suggested a very old solution. Disable cosmetic filtering in settings and enable cosmetic filtering only for the websites you visit often. With this trick you will hit two birds with one stone: not only do you limit the options to misuse powerfull cosmetic filtering (CSS) rules, but you also use less resources (CPU time) by selectively enabling cosmetic filtering. When you want to play it safe you could also add a disable content security policy injection rule for all websites (in My Filters tab): [URL='https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#csp']@@||*$csp[/URL] ("...exception filter with empty csp option will disable all csp injections for matching page..."). I don't like my adblocker to inject javascript or mess with content security policies. You may call me paranoid, but it does not make sense to add Code Integrity Guard and AppContainer (extra) protections to Edge and on the other hand use an extension which punches a hole in these defenses. I fully understands [USER=71262]@oldschool[/USER] second thoughts on this. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
