back to article Just a little FYI: Filtering doodad in Adblock Plus opens door to third-party malware injection

A feature introduced last year in Adblock Plus and a few other related content blocking browser extensions allows providers of filtering lists, under certain conditions, to execute arbitrary code on web pages. Adblock Plus v3.2 for Chrome, Firefox and Opera, released in July 2018, includes support for the $rewrite filter …

  1. BugabooSue
    Facepalm

    Wow....

    ...never saw that coming. ffs

  2. steelpillow Silver badge

    default filter lists

    Glad I don't mess around with untrusted filter list providers. Does anybody?

    1. brotherelf

      Re: default filter lists

      Yeah, until the maintainer gets an actual job and family that take time, and somebody else steps up to take over maintenance. Remember, it happened to respectable npm modules and WP plugins, too, there is zero reason to believe it wouldn't happen to filter list maintainers.

      (And FWIW, isn't it "works as advertised"? You allow an add-on to frobnicate the source code of any and all web pages you visit, of course it can do pretty much anything with that and use covert channels to exfiltrate data.)

      1. Symon Silver badge
        Devil

        Re: default filter lists

        Bad men <-> pfSense w/ pfblockerNG <-> pi-hole <-> browser with ublock origin

        I'm hoping that all three don't fail at once...

        p.s. They really are out to get you.

      2. phuzz Silver badge
        WTF?

        Re: default filter lists

        Can an adblocker "work as advertised"?

        Surely if it's working then adverts are blocked, so it can't be advertised, which means it's not working as advertised....

        1. fidodogbreath Silver badge

          Re: default filter lists

          They could run an ad that says "Download AdBlock uOrigin Plus to block this ad."

          If they really want to drum up business, they could include an autoplay video and a script to turn the mouse cursor into sparkly stars.

      3. Claptrap314 Bronze badge

        Re: default filter lists

        Or the maintainer gets the attention of organized crime / a nations state actor.

        Just sayin'.

  3. Neil Barnes Silver badge
    Holmes

    asked Google to confirm that it doesn't see this as a Chrome security problem

    Well, it's a security issue - but I can't see anyone at Google doing anything more than 'oh noes, the adblocker has a flaw, perhaps people will stop using it?'

  4. mark l 2 Silver badge

    This article makes it difficult to understand whether this is only an issue with Adblock when installed on Chrome or whether other browsers using Adblock also have this issue. IE Firefox?

    1. MiguelC Silver badge

      RTFA?

      As per the article (second paragraph, you wouldn't even need to read half of it):

      "Adblock Plus v3.2 for Chrome, Firefox and Opera, released in July 2018, includes support for the $rewrite filter option, which can alter filter rules governing whether or not content gets blocked. "

      So Firefox is affected, IE not so (no support for the $rewrite function?)

      1. Law

        Re: RTFA?

        "So Firefox is affected, IE not so (no support for the $rewrite function?)"

        Well good news is the new chredge (Edge branded chromium+ms services) will support Chrome extensions, so we'll have the benefit of potentially nasty plugin flaws with Microsoft OS integration to boot... Yey! :)

        Wonder if Ghostery suffers from similar issues... Anybody know?

      2. fidodogbreath Silver badge

        Re: RTFA?

        IE not so (no support for the $rewrite function?)

        Probably just no one bothered to look.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019