Ad blockers could be exposing you to hackers with this exploit

An exploit in the filter systems key to the inner workings of Adblock, Adblock Plus and uBlock could be used to inject code into web pages that could pinch your credentials, tamper with sessions or even redirect pages.

This is is bad news for users, and security researcher Armin Sebastian — who found the vulnerability — suggests that as many as 100m monthly active users could be at risk if anyone were to take advantage of the exploit, which Sebastian highlights as “trivial.”

Filter lists are a core part of adblock software, because they allow ad blockers to keep a list of malicious, suspicious or ad-heavy urls. Installing an ad blocker lets these filter lists do the driving, as the software uses the lists to block certain content from loading up.

Related: Best Android Phones

The filter option was introduced with the release of Adblock Plus 3.2 back in July 2018, and was then rolled out to Adblock and the Adblock owned uBlock.

This is all well and good. However, the $rewrite filter option that was introduced late last year is used by several ad blockers to remove tracking data and prevent websites from trying to get around the ad block software.

However, it appears that sometimes arbitrary code can be injected when domains load JS strings using XMLHttpRequest or what they use Fetch to download code snippets for execution. The exploit needs both of these things but also for “The origin of the fetched code must have a server-side open redirect or it must host arbitrary user content.”

Related: Best iPhone 2019

To show an example of this, Sebastian suggests a way to use Google Maps to action the exploit. When he reported this exploit to Google, Google explained it was intended behaviour, and that the behaviour is the fault of the ad blocking software.

“The feature is trivial to exploit in order to attack any sufficiently complex web service, including Google services, while attacks are difficult to detect and are deployable in all major browsers,” says Sebastian in a blog post detailing the flaw.

He advises that the ad blocking outfits drop support for the $rewrite function, but in the meantime he suggests users mitigate the risk to themselves by using uBlock Origin, which doesn’t contain the $rewrite function.