In July 2018, the popular Adblock Plus software released its version 3.2 that brought a new feature called $rewrite. This feature allowed one to change the filter rules and decide which content got blocked and which didn’t. It was said that often there are content elements that are difficult to block. This feature was soon implemented by AdBlock as well as uBlock.
In a troubling development, it has been revealed that this filter option can be exploited by notorious actors to inject arbitrary code into the web pages. With more than 100 million users of these ad blocking tools, this exploit has great potential to harm the web users.
When $rewrite feature was introduced, it came up with a simple trick to ensure that it’s not exploited easily. You needed to specify a new URL to replace a particular web request. While doing so, it was required that you replace the earlier URL with a new URL with the same host. For example, you had to redirect the requests for example.com/ads.gif to example.com/doggos.gif. Here, host example.com remains the same.
So what has changed? What has made $rewrite exploitable?
Under some conditions, it’s possible to exploit web services using $rewrite. For example, when a service uses XMLHttpRequest or Fetch to load code for execution, $rewrite allows them to fulfill requests from arbitrary origins.
By keeping in mind these conditions, it’s possible for any ad blocker filter maintainer to create a rouge set of rules that can redirect the service to a page with a malicious payload.
As per the findings of the researcher Armin Sebastian, Google’s services like Google I’m Feeling Lucky, Google Maps, Gmail, and Google Images, etc., meet the requirements to be exploitable. It’s worth noting that the flaw isn’t limited to Google services and other web services could be affected by the same.
Sebastian informed Google regarding the flaw, but his report was closed as it was an “Intended Behavior.”
It’s worth noting that it’s challenging to detect which rogue filter list operator injected the harmful code. The operator can offer a short expiration time for the malicious filter list and even sort targets based on IP addresses. Sebastian suggests that ad blockers should drop the support for $rewrite feature and opt for those options that don’t support it in the first place.