AdBlock Vulnerability Paves Way to Arbitrary Code Execution

• AdBlock, AdBlock Plus, and uBlock are vulnerable to arbitrary code execution.
• There are numerous web services that can be exploited by malicious actors, and some of them are pretty popular.
• AdBlock says they knew this from the beginning, but don’t consider it to be very risky in reality.

Security researcher Armin Sebastian has discovered a security flaw in the filtering system of Adblock, the popular internet browser ad-blocking add-on. Because of the common technical infrastructure between AdBlock, AdBlock Plus, and also uBlock, all three can be considered equally vulnerable. The flaw was introduced in 2018 when AdBlock Plus version 3.2 brought a new filter option to allow rewriting requests. While this new feature was meant to enable filter list authors to prevent ads that couldn’t be blocked before through redirection requests, it also opened up the door to new exploitation possibilities which according to the researcher, are pretty trivial.

The “rewrite” filter option can help with the exploitation of any web service, by using the XMLHttpRequest or “Fetch” to download malicious code snippets from an origin that is outside the defined. This can lead to arbitrary code execution, which is the main point of the exploitation. To make matters worse, the attack can potentially be made hard to detect, as the malicious filter list can be set to expire within a very short period of time, leaving its place to a non-menacing list. As the researcher points out, there are three criteria that must be met for a web service to be exploitable, and these are:

1. The page must load a JS string using XMLHttpRequest or Fetch and execute the returned code.
2. The page must not restrict origins from which it can fetch using Content Security Policy directives, or it must not validate the final request URL before executing the downloaded code.
3. The origin of the fetched code must have a server-side open redirect, or it must host arbitrary user content.

Gmail, Google Images, and even Google Maps are among the web services that meet the exploitation conditions, and when combined with a large number of people that use the AdBlock and AdBlock Plus add-ons, the attack potential can be considered to be of an enormous magnitude. To mitigate the risk, the researcher suggests the elimination of server-side open redirects, which will take away the compliance of one key criterion. So far, there have been no known cases of exploitation, and according to a post in the AdBlock Plus blog, the risk is actually very low. They are currently evaluating possible fixes to the flaw, with restriction of all filter lists to https being one of the most probable remedies right now. Whatever the case, stay tuned, and apply any updates to your plugin immediately.

Are you using an ad-blocking plugin on your browser? Are you comfortable with the trade of security over browsing comfort? Share your thoughts in the comments section below, and help us spread the word by sharing this post through our socials, on Facebook and Twitter.