by Martin Brinkmann on April 16, 2019 in Internet – Last Update: April 16, 2019 – 11 comments
Most content blockers use and load filter lists that include instructions to block or change certain content on visited sites in the web browser by default; this is done to ensure that default configurations do block a good chunk of unwanted content right away.
Most extensions support custom lists and individual filters. Users may load custom lists in most extensions and add their own filters to the list as well.
Update: Eyeo GMHB announced today that it will remove the $rewrite function going forward. Expect a new release soon that removes if from the extension. End
Security researcher Armin Sebastian discovered an exploit in certain adblockers such as Adblock Plus that could be used to run malicious code on sites visited in the browser.
The exploit uses a filter option called $rewrite that Adblock Plus supports to inject arbitrary code in web pages. The $rewrite filter is used to replace code on sites by rewriting it. The filter option restricts the operation; it is designed to load content only from the first-party source and not third-party sites or servers, and some requests, e.g. script or object, are not permitted either.
Sebastian discovered a vulnerability in $rewrite that attackers may exploit to load content from remote locations. The conditions that need to be met are:
- A JavaScript string needs to be loaded using XMLHttpRequest or Fetch, and the return code must be executed.
- Origins cannot be restricted on the page, e.g. by using Content Security Policy directives, and the final request URL cannot be validated before execution.
- The origin of the code must have a server-side open redirect, or must host arbitrary user content.
Properties that match all three requirements include Google Maps, Gmail, or Google Images among others. A proof of concept was published on the author’s website and you may try it on Google Maps to verify that it works.
I tried the exploit in Chrome and Firefox, and could not get it to work. Lawrence Abrams over on Bleeping Computer managed to get it to work though.
Closing Words
The attack has another requirement, as it relies on filters. A manipulated filter needs to be added to the list of filters used by the content blocker. The two most common options include users adding filters manually to their content blockers, or that a manipulated filter is on a filter list that gets loaded.
The second option seems more likely, especially in cases were users load other lists in the extensions. It is not the first time that lists get manipulated but it does not happen very often.
The extension uBlock Origin is not affected by the issue as it does not support $rewrite.