Recently it was discovered that the popular ad blocker «Adblock Plus »has a vulnerability that allows organizing the execution of JavaScript code on the sites, in the case of using untested filters prepared by third parties with malicious intent (for example, by connecting third-party rule sets or by rule substitution during the MITM attack).
List authors with filter sets can organize the execution of their code in the context of sites accessible to the user adding rules with the operator »$ rewrite«, which allows to replace part of the URL.
How is this code execution possible?
The declaration of $ rewrite does not allow to replace the host in the url, but it provides the opportunity to freely manipulate the arguments of the request.
However code execution can be achieved. Some sites, such as Google Maps, Gmail, and Google Images, they use the technique of dynamically loading executable JavaScript blocks transmitted in the form of plain text.
If the server allows the redirection of requests, then it can be forwarded to another host by changing the parameters of the URL (for example, in the context of Google, a redirection can be done through the API »google.com/search« ).
In addition to hosts that allow redirection, you can also commit an attack against services that allow the location of user content (code hosting, article placement platform, etc.).
The method of Proposed attack only affects pages that dynamically load strings with JavaScript code (for example, via XMLHttpRequest or Fetch) and then run them.
Another major limitation is the need to use a redirect or place arbitrary data on the side of the origin server that provides the resource.
However, as a demonstration of the relevance of an attack, shows you how to organize your code execution by opening maps.google.com using a redirect via "google.com/search".
In fact, requests to use XMLHttpRequest or Fetch to download remote scripts to run will not fail when the $ rewrite option is used.
Also, the open redirect is just as important because it allows XMLHttpRequest to read the script from a remote site, even though it appears to be from the same source.
They are already working on solving the problem
The solution is still in preparation. The problem also affects AdBlock and uBlock blockers. The uBlock Origin Blocker is not susceptible to the problem as it does not support the »$ rewrite» operator.
At one point, the uBlock Origin author refused to add $ rewrite support, citing possible security issues and insufficient host-level restrictions (instead of rewriting, the querystrip option was proposed to clear query parameters in instead of replacing them).
It is our responsibility to protect our users.
Despite the very low actual risk, we decided to remove the $ rewrite option. Therefore, we will release an updated version of Adblock Plus as soon as technically possible.
We do this as a precaution. No attempt has been made to misuse the rewrite option and we will do our best to prevent this from happening.
This means that there is no threat to any Adblock Plus user.
The DAdblock Plus developers consider actual attacks unlikely, since all changes to the regular rule lists are reviewed and the connection of third-party lists is practiced by users very rarely.
Rule substitution via MITM removes the use of HTTPS by default to load regular block lists (for the remaining lists it is planned to ban HTTP download in a future release).
To block attacks on the sites side, CSP directives can be applied (Content Security Policy), through which you can explicitly identify the hosts from which external resources can be loaded.
Source: https://adblockplus.org, https://armin.dev