Independent security researcher Armin Sebastian discovered a vulnerability in Adblock Plus which can allow hackers to read a victim’s Gmail and look into other Google services.
Adblock Plus is the world’s most popular free advertisement blocker with millions of users and extensions that run in all the major web browsers including Chrome, Edge, Firefox, Opera and Safari.
The vulnerability allows the threat actor to inject malicious code into several Google services including Gmail, Google Images and Google Maps in attacks that are difficult to detect, according to an April 15 blog post.
The flaw was introduced when a new version of Adblock Plus was released on July 17, 2018 which came with a new filter option for rewriting requests but Sebastian found that under certain conditions, the $rewrite filter option enables filter list maintainers to inject arbitrary code in web pages.
“The $rewrite filter option is used by some ad blockers to remove tracking data and block ads by redirecting requests,” Sabastian said in the post. “The option allows rewrites only within the same origin, and requests of SCRIPT, SUBDOCUMENT, OBJECT and OBJECT_SUBREQUEST types are not processed.”
The affected extensions have more than 100 million active users, and the feature is trivial to exploit in order to attack any sufficiently complex web service, including Google services, while attacks are difficult to detect and are deployable in all major browsers, Sabastion said.
In order for a web service to be exploitable using this method the page must load a JS string using XMLHttpRequest or Fetch and execute the returned code, the page must not restrict origins from which it can fetch using Content Security Policy directives, or it must not validate the final request URL before executing the downloaded code.
In addition, the origin of the fetched code must have a server-side open redirect or it must host arbitrary user content.
To run arbitrary code on Google Maps, a user must install either Adblock Plus, AdBlock or uBlock in a new browser profile, visit the options of the extension and add the example filter list to simulate a malicious update to a default filter list, and then navigate to Google Maps.
After a few seconds an alert with “www.google.com” should pop up.
In order to mitigate the vulnerability users should whitelist known origins using the connect-src CSP header, or by eliminating server-side open redirects. The researchers also said ad blocking extensions should consider dropping support for the $rewrite filter option.
“Users may also switch to uBlock Origin,” the post said. “It does not support the $rewrite filter option and it is not vulnerable to the described attack.”