Adblock Plus and (a little) more

Details on the resolved Adblock Plus for Chrome security issue · 2011-08-17 12:55 by Wladimir Palant

Adblock Plus 1.1.4 for Google Chrome has been released today and fixes a minor security issue. This blog post provides some details.

Affected: Adblock Plus 1.1.3 for Google Chrome and below
Issue: Unsafe processing of website data might facilitate cross-site scripting attacks on websites.
Reporter: Nicholas Carlini (UC Berkley)
Severity: Low

Attack scenario

The user needs to navigate to a website that embeds third-party content but doesn’t allow that third-party to run JavaScript code in its context (either by sanitizing HTML code prior to displaying it or by displaying third-party content in a frame that doesn’t have access to the main document). This third-party can choose the ID attribute for its elements in such a way that if an Adblock Plus user tries to select this element for blocking some JavaScript code will be executed in the context of the main document (cross-site scripting).

“Historical” details

Adblock Plus inherited this flaw from the AdThwart project, it is a classical mistake of using innerHTML without properly sanitizing the data. This issue didn’t go unnoticed after project handover but was deemed not security relevant as it appeared that it would not allow the website to do anything it couldn’t already. Given that the surrounding code suffers from a number of other issues this bug had to be fixed in a general rewrite that didn’t happen so far.

Nicholas Carlini contacted me about this issue on August 7th and explained how this bug can still be security relevant if the website contains third-party content. I was able to confirm the issue on August 10th. A fix was implemented on the same day.



Commenting is closed for this article.