Adblock Plus and (a little) more

Potential vulnerability through the URL rewrite filter option · 2019-04-15 21:58 by Laura Dornheim

Hours ago we were made aware that the rewrite option that we provide for filter list authors can potentially be abused by a malicious filter list author to execute third-party code on a website. We consider this to be a very unlikely scenario mainly for two reasons:
1. We vet all authors who contribute to filter lists that are enabled in Adblock Plus by default
2. We examine these filter lists regularly.

While exploiting this issue is non-trivial and will only work for some websites, we take it very seriously. We already confirmed that no common filter lists abused this filter option.
This means that there is no existing threat to any user of Adblock Plus.

Support for the rewrite option was added to give filter list authors more control when dealing with pre-roll video ads. We were aware of security concerns regarding this feature, discussed this extensively and implemented restrictions to mitigate any risk. As demonstrated by Armin Sebastian now, these measures weren’t sufficient for some websites.

It is our responsibility to protect our users, and despite the actual risk being very low, we have decided to remove the rewrite option and will accordingly release an updated version of Adblock Plus as soon as technically possible.We are doing this as a measure of precaution. There has not been any attempt of abusing the rewrite option and we will do everything we can to ensure this won’t happen.

We are additionally looking into other options such as restricting all filter lists to https, which is already the case for the default activated lists.

Adblock Plus has always been an open source project building on the great work of a community of contributors. Protecting our users from annoying ads while protecting their privacy is our number one concern.

We have extremely high standards for testing and quality control for every line of code we publish. Striving for the best possible code also means that we highly appreciate being made aware of any potential vulnerabilities that we didn’t spot so we can fix them as fast as possible.
You can always use security@eyeo.com to reach out to us!

This post was originally published on April 15th, 21:58 CEST and has been edited and updated with further details.
First update: April 16th, 10:31 CEST
Second update: April 16th, 12:58 CEST

Comment [12]

  1. Richard · 2019-04-16 08:08 · #

    I would like an option where I can enable and disable the rewrite functionality.

  2. Laura · 2019-04-16 10:34 · #

    Hi Richard,

    this functionality will be removed completely with the next update!

    Best, Laura from Adblock Plus

  3. anna · 2019-04-16 12:11 · #

    Hi,

    when will be release the new update with the removal of rewrite that cause the bug?

  4. cjx · 2019-04-16 14:27 · #

    Please do not remove $rewrite=abp-resource: I need this to block video ads on qq.com,youku.com whithout anti-adblock warning messages and other sites. See EasyList China https://easylist-downloads.adblockplus.org/easylistchina.txt

  5. Laura · 2019-04-16 14:58 · #

    Hi cjx,

    I just checked back with our dev team: Don’t worry, we will keep the option to rewrite to internal resources as in your example.

    Best,
    Laura

  6. In this Link · 2019-04-18 13:23 · #

    Great Post to find i am very imprasive to get this useful info

  7. Barbara · 2019-04-19 09:05 · #

    Hi,

    Any news about the release of the new version without the srewrite function?

  8. Suzy Getman · 2019-04-23 05:33 · #

    I oppose any toggle for user to enable/disable the rewrite option, since my grandma and your grandma wouldn’t know what to do with it.

  9. Elkodsolana · 2019-04-24 02:00 · #

    Please don’t remove the $rewrite option and just restrict the uses of filter to the user custom filters.

  10. Dirk A. · 2019-05-04 03:38 · #

    Firefox (66.0.3 Quantum on Win10) has just blocked the ABP extension presumably due to this “vulnerability”, and will not re-install it, labeling it as “corrupt”.

    I hope Mozilla can be brought around soon, or I will be going to a different browser.

  11. Paul W. · 2019-05-04 14:11 · #

    We need an update on the Firefox situation. As of 7:00 pm EST on 5/03, Mozilla has blocked Adblock Plus.

  12. Laura · 2019-05-04 15:11 · #

    Hi Dirk and Paul,

    Please see our latest blogpost: https://adblockplus.org/blog/firefox-bug-disabled-all-add-ons-including-adblock-plus

    We can’t do anything than wait for Firefox zu fix this but wait. They are working on it!

Commenting is closed for this article.