Multiple ad blocker filter lists can be exploited for code injection

It is possible to execute code through the filter lists of several popular ad blockers. It concerns a vulnerability in AdBlock, Adblock Plus and uBlock. List authors can manipulate them to redirect websites to other domains in order to inject scripts.

The exploit is in the $rewrite function that has been in the filter lists of adblockers since last year. The exploit was discovered by security researcher Armin Sebastian. He published the leak on his website. Sebastian did not report the leak to the creators in advance “because of the nature and implications of the leak.” He points out that filter lists have been exploited in the past. UBlock Origin, another great ad blocker, does not use this feature in question.

The rewrite function can replace code on a website by writing over it. Normally this can only be done with code that comes from the same domain, but a security researcher discovered that in some cases it is possible to inject code from other domains. This can be malicious code that can be used, for example, to steal login details.

For this, an original website must meet a number of conditions. For example, the page must load JavaScript via XMLHttpRequest or Fetch and no Content Security Policies must be active. The researcher shows how he can do this via various Google websites such as Maps. It is also necessary for the code to be added to a filter list used by the ad blockers. Those filter lists are controlled by the creators of the ad blockers.

Eyeo, the company behind AdBlock Plus, says it is investigating the leak and is working on a fix. According to the software maker, there is currently no evidence that the leak has been exploited. “That’s an unlikely scenario. We check everyone who adds something to the filter lists, and we check those lists ourselves regularly.”