REMOTE MALICIOUS SCRIPTS could be injected into web sites through an exploit in ad blockers such as Adblock, Adblock Plus and uBlocker.
Security researcher Armin Sebastian found that under specific circumstances, malicious script could be injected into a site through the use of a rogue ad blocker filter maintainer.
Ad blockers keep a list of URLs corresponding to adverts and dodgy behaviour that prevents the browser from loading the ads or potentially malicious scripts. These lists are normally fairly locked down and difficult to exploit due to the way they interact with web sites.
However, Sebastian found that if a site follows three criteria, then a malicious filter list could be used to inject malicious code into a site.
"The page must load a JS string using XMLHttpRequest or Fetch and execute the returned code," noted Sebastian. "The page must not restrict origins from which it can fetch using Content Security Policy directives, or it must not validate the final request URL before executing the downloaded code.
"The origin of the fetched code must have a server-side open redirect or it must host arbitrary user content."
The exploit stems from the introduction of the "$rewrite" option that allows an ad block filter to decide whether to block a URL or redirect it; in the latter case, it might be faster to redirect than block at certain times. And the option can help ad blockers prevent web sites from using workarounds to get past the visitor's ad blocker.
But with the $rewrite option, a provider of a third-party ad block filter list that's used by an ad blocker tool could harness the exploit.
Though it seems like a pretty long-winded exploit, Sebastian said it is difficult to detect and works across all major browsers.
Sebastian also noted that when Google was alerted it noted the exploit was intended behaviour of such ad blocker lists.
"This is an unfortunate conclusion, because the exploit is composed of a set of browser extension and web service vulnerabilities that have been chained together," said Sebastian.
Such an exploit seems unlikely and Sebastian has yet to not any active attacks using it. Nevertheless, it exists and Sebastian has a mitigation for it.
"The exploit can be mitigated in the affected web services by whitelisting known origins using the connect-src CSP header, or by eliminating server-side open redirects," Sebastian said.
"Ad blocking extensions should consider dropping support for the $rewrite filter option. It's always possible to abuse the feature to some degree, even if only images or style sheets are allowed to be redirected.
"Users may also switch to uBlock Origin. It does not support the $rewrite filter option and it is not vulnerable to the described attack."
In some ways, Google's potential move to kill-off ad blockers in Chrome might not be a bad idea. µ
'Some of us like the misery'
That'll surely affect its credit score