Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Browsers
Web Extensions
uBlock, I exfiltrate: exploiting ad blockers with CSS
Message
<blockquote data-quote="ForgottenSeer 92963" data-source="post: 967535"><p>[USER=80838]@Jan Willy[/USER]</p><p></p><p>This is a test page to promote the author's own extension. The test just fetches and imports first and third-party style sheets with the vulnerability and when the image appears your browser allowed it. So the test-page has nothing to do with the vulnerability Tavis Ormandy (of Google) and Gareth Hayes</p><p></p><p><strong><span style="font-size: 15px">Short answer: no it is not enough</span></strong></p><p><strong><span style="font-size: 15px"></span></strong></p><p><strong><span style="font-size: 15px">Long answer</span></strong></p><p></p><p>Imagine a three staged attack. Stage 1 hide code in a adblock filter list. Stage 2 pull in the malicious code which does all the bad things. Stage 3 execute the code. Let me help to explain by quoting parts of the article</p><p></p><p></p><p><strong>Stage 1 </strong></p><p></p><p></p><p>Because of the ongoing struggle between advertising publishers and adblockers the advertising links are randomized and obfuscated everywhere in and on a website. To match these advertising tactics Adblockers need to dig deeper into a webpage and offer more powerful means to block advertisements.</p><p></p><p>To prevent misuse of these powers, the Adblockers put constraints and limitations on what input they accept. Because this is complex, not all combinations and input situations are tested, so a unforseen combination of inputs might slip through the adBlocker's rule sanitizing mechanism.</p><p></p><p>The most important thing to remember the larger a community sourced blocklist is and more people contribute to this list, the harder it is to test all rules to prevent someone adding rules to find holes in the input check of an dblocker. It is even better when a more closed group of trusted people write the rules like Brave and AdGuard who have their own versions of community sourced lists (Easy List).</p><p></p><p><strong>This is the rational behind my advice to use blocklist of AdGuard in stead of EasyList (reduce source risk)</strong></p><p></p><p></p><p><strong>This is the rational behind my advice to disable cosmetic filters system wide and enable it only on the websites you often visit (reduce target risk) </strong></p><p></p><p></p><p></p><p></p><p><strong>Stage 2</strong></p><p>An external font file also contains data which can be used import code<strong>.</strong> There are many ways to import code as shown by this reply of GorHill</p><p><strong>[SPOILER="Many ways to import code"][/SPOILER]</strong>[SPOILER="Many ways to import code"]</p><p>[ATTACH=full]262636[/ATTACH]</p><p>[/SPOILER]</p><p>Because Gareth used an external fonts file, blocking external fonts helps to close one door. This is the reason why GorHill offers to block fonts in the popup screen. It helps to block third-party fonts, but most websites use third-party fonts, so this also could prevent websites to display stuff correctly. Websites can set with Content Security Policies from which websites third-party content is allowed to be used. Well developed websites use this to reduce the attack surface (only allow stuff from trusted parties to minimize breeches).</p><p><strong>This is the rational behind my advice to remove all Content Security Policies set in any filter (with the My Filter rule: @@||*$CSP). </strong> It does not make a badly secured website stronger, but it prevents an attacker to change a website's content security policies by sneaking in a CSP modifier in a static filter to make the security of that website weaker.</p><p></p><p><strong>Stage 3</strong></p><p>After malicious code is imported it has to be executed. One of the most abused javascript commands is the EVAL which executes dynamically pulled in code. <strong>This is the rational to block eval with *##+js(noeval) rule. </strong>This enforcement could potentially break a website, but I would not visit a website which relies on dynamically executing code from other sources.</p><p></p><p><strong>Sum up</strong></p><p>None of the above advices complete rules out misuse of an Adblocker powerful website manipulation capabilities (at least until Manifest V3 is implemented), but they make it harder to craft a staged misuse of errors in the internal 'rules checker' of an adblocker.</p></blockquote><p></p>
[QUOTE="ForgottenSeer 92963, post: 967535"] [USER=80838]@Jan Willy[/USER] This is a test page to promote the author's own extension. The test just fetches and imports first and third-party style sheets with the vulnerability and when the image appears your browser allowed it. So the test-page has nothing to do with the vulnerability Tavis Ormandy (of Google) and Gareth Hayes [B][SIZE=4]Short answer: no it is not enough Long answer[/SIZE][/B] Imagine a three staged attack. Stage 1 hide code in a adblock filter list. Stage 2 pull in the malicious code which does all the bad things. Stage 3 execute the code. Let me help to explain by quoting parts of the article [B]Stage 1 [/B] Because of the ongoing struggle between advertising publishers and adblockers the advertising links are randomized and obfuscated everywhere in and on a website. To match these advertising tactics Adblockers need to dig deeper into a webpage and offer more powerful means to block advertisements. To prevent misuse of these powers, the Adblockers put constraints and limitations on what input they accept. Because this is complex, not all combinations and input situations are tested, so a unforseen combination of inputs might slip through the adBlocker's rule sanitizing mechanism. The most important thing to remember the larger a community sourced blocklist is and more people contribute to this list, the harder it is to test all rules to prevent someone adding rules to find holes in the input check of an dblocker. It is even better when a more closed group of trusted people write the rules like Brave and AdGuard who have their own versions of community sourced lists (Easy List). [B]This is the rational behind my advice to use blocklist of AdGuard in stead of EasyList (reduce source risk)[/B] [B]This is the rational behind my advice to disable cosmetic filters system wide and enable it only on the websites you often visit (reduce target risk) [/B] [B]Stage 2[/B] An external font file also contains data which can be used import code[B].[/B] There are many ways to import code as shown by this reply of GorHill [B][SPOILER="Many ways to import code"][/SPOILER][/B][SPOILER="Many ways to import code"] [ATTACH type="full" alt="1638980136575.png"]262636[/ATTACH] [/SPOILER] Because Gareth used an external fonts file, blocking external fonts helps to close one door. This is the reason why GorHill offers to block fonts in the popup screen. It helps to block third-party fonts, but most websites use third-party fonts, so this also could prevent websites to display stuff correctly. Websites can set with Content Security Policies from which websites third-party content is allowed to be used. Well developed websites use this to reduce the attack surface (only allow stuff from trusted parties to minimize breeches). [B]This is the rational behind my advice to remove all Content Security Policies set in any filter (with the My Filter rule: @@||*$CSP). [/B] It does not make a badly secured website stronger, but it prevents an attacker to change a website's content security policies by sneaking in a CSP modifier in a static filter to make the security of that website weaker. [B]Stage 3[/B] After malicious code is imported it has to be executed. One of the most abused javascript commands is the EVAL which executes dynamically pulled in code. [B]This is the rational to block eval with *##+js(noeval) rule. [/B]This enforcement could potentially break a website, but I would not visit a website which relies on dynamically executing code from other sources. [B]Sum up[/B] None of the above advices complete rules out misuse of an Adblocker powerful website manipulation capabilities (at least until Manifest V3 is implemented), but they make it harder to craft a staged misuse of errors in the internal 'rules checker' of an adblocker. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
