# Adblock(Plus), uBlock Filters Can Be Exploited to Run Malicious Code



## P4-630 (Apr 16, 2019)

An exploit has been discovered that could allow ad blocking filter list maintainers for the Adblock Plus,
AdBlock, uBlock and uBlocker browser extensions to create filters that inject remote scripts into web sites.
With ad blockers having a a user base of over 10 million installs, if malicious scripts were injected it would have a huge impact as they could perform unwanted activity such as stealing cookies,
login credentials, causing page redirects, or other unwanted behavior.

https://www.bleepingcomputer.com/ne...lters-can-be-exploited-to-run-malicious-code/

UBlock Origin seems unaffected as it doesn't use the $rewrite-function.
https://tweakers.net/nieuws/151612/...rs-zijn-te-misbruiken-voor-code-injectie.html


----------



## Vayra86 (Apr 16, 2019)

Another reason to get Ublock Origin, its not like the alternatives were that great to begin with.


----------



## FreedomEclipse (Apr 16, 2019)

good thing i switched to Ublock Origin a long time ago. I made the switch when adblock started taking payments to allow ads from certain companies or on certain websites -- Nope. I use an adblocker to block ads not carry on allowing them to pop up.


----------



## SoNic67 (Apr 16, 2019)

I recommend using a Pi to run the home DNS server "PiHole". It can use the Ublock Origin lists and many others.


----------



## Vayra86 (Apr 16, 2019)

FreedomEclipse said:


> good thing i switched to Ublock Origin a long time ago. I made the switch when adblock started taking payments to allow ads from certain companies or on certain websites -- Nope. I use an adblocker to block ads not carry on allowing them to pop up.



Yeah that sealed the deal for me too, I used to have ABP until they announced that. Its so fundamentally wrong for an adblocker to start accepting payments to filter certain things and allow others.


----------



## Khonjel (Apr 16, 2019)

Seriously the guy developing uBlock Origin is awesome. Presence is almost every browser out there and he/she doesn't even take a dime. He doesn't even wanna take donation so as to not get attached to what he considers a hobby. I'm gonna be sad the day he abandons it


----------



## taz420nj (Apr 19, 2019)

SoNic67 said:


> I recommend using a Pi to run the home DNS server "PiHole". It can use the Ublock Origin lists and many others.


It uses some of the same domain lists, but PiHole and uBO are two entirely different animals that complement each other.  Most of uBO's lists by their nature do not work in PiHole.   PiHole is a DNS blocker that can only block whole domains, while uBO is an element blocker - it can block certain elements from a particular domain while allowing others.  This is why uBO can block for example inline ads on Youtube while PiHole can not.


----------



## lexluthermiester (Apr 19, 2019)

P4-630 said:


> https://www.bleepingcomputer.com/ne...lters-can-be-exploited-to-run-malicious-code/


I believe that's been patched. The makers of AdBlock were informed before public disclosure to give them run-up time to fix it.



Khonjel said:


> I'm gonna be sad the day he abandons it


They'll open source it first.


----------



## Robotics (Apr 20, 2019)

So another reason to use Brave.


----------



## ZeDestructor (Apr 20, 2019)

lexluthermiester said:


> They'll open source it first.



It's already open-source (GPLv3-licensed too) and there's at least one guy with relatively sizeable contributions:

https://github.com/gorhill/uBlock/ (don't mind the repo name, this is the proper uBlock Origin repo and completely unaffiliated with uBlock)


----------



## dj-electric (Apr 20, 2019)

Imagine if there was a browser, that was like incredibly fast, free and has a built in blocker for ads and tracking.
Imagine if the founder of Mozilla would make such thing and call it like "brave" or something, and using it will make Chrome and FF look like a joke


----------



## Robotics (Apr 20, 2019)

dj-electric said:


> Imagine if there was a browser, that was like incredibly fast, free and has a built in blocker for ads and tracking.
> Imagine if the founder of Mozilla would make such thing and call it like "brave" or something, and using it will make Chrome and FF look like a joke


Not the same. One of them has a 3. party and  the other has already built in its own engine source when it was established.


----------



## lexluthermiester (Apr 20, 2019)

ZeDestructor said:


> It's already open-source (GPLv3-licensed too) and there's at least one guy with relatively sizeable contributions:
> 
> https://github.com/gorhill/uBlock/ (don't mind the repo name, this is the proper uBlock Origin repo and completely unaffiliated with uBlock)


Fair enough. Wondered about that but wasn't sure.


----------



## Eskimonster (Apr 20, 2019)

THX, changed to ublock.


----------



## Final_Fighter (Apr 20, 2019)

nice catch, thanks for the heads up!


----------



## vega22 (Apr 20, 2019)

Any plugin you use with your browser could be exploited....


----------



## lexluthermiester (Apr 20, 2019)

vega22 said:


> Any plugin you use with your browser could be exploited....


Not easily. This has to do with the way plugin are run by the browser.


----------



## vega22 (Apr 21, 2019)

lexluthermiester said:


> Not easily. This has to do with the way plugin are run by the browser.



If you wanted to create it to leave a backdoor, it's easy.

You need to be weary of all plugins you use. People can just be too trusting of software devs.


----------



## lexluthermiester (Apr 21, 2019)

vega22 said:


> If you wanted to create it to leave a backdoor, it's easy.


While that is true, the plugin vulnerability would soon be discovered and removed. Additionally, it is a serious crime in most countries to deliberately engineer such a backdoor into software.


----------



## vega22 (Apr 21, 2019)

Go talk to Intel about that.

Or belkin, or a whole host of other companies that left exploits open for the alphabet agencies dude.

Not hard to deny it, even harder to prove it was deliberately put in place :/


----------



## ZeDestructor (Apr 24, 2019)

vega22 said:


> Go talk to Intel about that.
> 
> Or belkin, or a whole host of other companies that left exploits open for the alphabet agencies dude.
> 
> Not hard to deny it, even harder to prove it was deliberately put in place :/



Why deliberately engineer a backdoor in when it's easier to just find one in there from careless devs? People exploit vulns perfectly well enough without needing to spend lots of time and effort crafting malicious code that need to go through code review, fuzzing and a whole host of security-related layers, and reveal specific sources.


----------



## Vayra86 (Apr 24, 2019)

ZeDestructor said:


> Why deliberately engineer a backdoor in when it's easier to just find one in there from careless devs? People exploit vulns perfectly well enough without needing to spend lots of time and effort crafting malicious code that need to go through code review, fuzzing and a whole host of security-related layers, and reveal specific sources.



This is actually usually how it goes. Backdoors aren't built, they're just left open and the key is passed on to someone who knows how to keep a secret. Everybody happy and none the wiser... until it comes out.


----------



## ZeDestructor (Apr 24, 2019)

Vayra86 said:


> This is actually usually how it goes. Backdoors aren't built, they're just left open and the key is passed on to someone who knows how to keep a secret. Everybody happy and none the wiser... until it comes out.



And that's why we like open-source software and tools like fuzzers and so on: it lets us find and fix those vulns faster and easier. Usually, anyways...

Overall the NSA, CIA and friends' intrusion teams (seem to) work independently from the defensive teams and the more conscientious parts of the industry and tell nothing. The defensive side, on the other hand do their damnedest to get info to devs for fixes to come out ASAP...  to varying degrees of success depending on the vendor.


----------



## SoNic67 (Apr 24, 2019)

Usually a junior dev can afford to work for free.
But after a while live gets in the way and he needs to work to pay bills. At that point, if is good, is recruited by any of the "evil" companies.
So all in all the open software people are not better than the "other" people, because... they evolve in them. That's life.


----------



## R-T-B (Apr 24, 2019)

lexluthermiester said:


> Additionally, it is a serious crime in most countries to deliberately engineer such a backdoor into software.



Actually, I'm unaware of any actual laws against it, provided such backdoor was not made with malicious intent.



SoNic67 said:


> So all in all the open software people are not better than the "other" people, because... they evolve in them. That's life.



Tell that to Stallman & Linus.  I think they must've missed your memo.



SoNic67 said:


> At that point, if is good, is recruited by any of the "evil" companies.



Also kinda false because you HAVE to be good to get an open source project of any scale to accept a commit.  They are generally C, which is a helluva language, and have submission standards that make my eyes water today.



Vayra86 said:


> Backdoors aren't built,



A "backdoor" is by definition, an intentionally engineered back entrance.  They aren't just bugs.  So of course they are intentional, what might be unintentional is leaving them in the final retail build...


----------



## lexluthermiester (Apr 24, 2019)

R-T-B said:


> Actually, I'm unaware of any actual laws against it, provided such backdoor was not made with malicious intent.


They exist and not just in the USA.


----------



## johnspack (Apr 25, 2019)

Ublock Origin,  was there ever any other question?  It works on many browsers,  and under both windows and linux.  As a linux firefox user,  I find it to be a godsend!  Just pick Origin,  and no issues....


----------



## R-T-B (Apr 25, 2019)

lexluthermiester said:


> They exist and not just in the USA.



If they exist they are largely unenforced.  Any citations on this?  Belkin was caught doing exactly that.  Heck, several software products have in the past too.  No consequences or charges that I know of.

I feel like you are thinking of one of those generic "unauthorized access to a system" protection laws, but they need not apply to manufacturers because these backdoors are often "intended for maintenance," and thus, considered an authorized use as per the products EULA.


----------



## lexluthermiester (Apr 25, 2019)

R-T-B said:


> If they exist they are largely unenforced.


Oh rubbish, they are enforced.


R-T-B said:


> Any citations on this?


https://www.law.cornell.edu/uscode/text/18/1030#a_4


R-T-B said:


> but they need not apply to manufacturers


Oh, but they do.


R-T-B said:


> considered an authorized use as per the products EULA.


No, it isn't. It is a crime and and has been prosecuted successfully numerous times.


----------



## Space Lynx (Apr 25, 2019)

Been using ublock origin for many years now, this article is making me yawn, I don't have time for scrubs who still use adblock


----------



## R-T-B (Apr 25, 2019)

lexluthermiester said:


> Oh rubbish, they are enforced.
> 
> https://www.law.cornell.edu/uscode/text/18/1030#a_4
> 
> ...



Where's the case againt belkin then?

Your link mentions "intent" countless times in nearly every clause, reinforcing my point that factory backdoors unintended for public disclosure are protected.  What is not protected is actually exploiting them, but I mean, that's obvious.  Don't hack into systems bro.


----------



## lexluthermiester (Apr 26, 2019)

R-T-B said:


> reinforcing my point that factory backdoors unintended for public disclosure are protected.


However, if they are distributed to the public with deliberate intent to not remove said backdoor, it is a crime as such can be taken advantage of by bad-actors. The law prohibits distribution of any software to the public that has a discoverable entry point not actively disclosed to the public which can be used as an attack vector against said public. EULA's can not and do not protect against this type of action.


----------

