Ad Blockers Could Be Hijacked

A feature used in several ad blocker tools could be used to "booby trap" websites according to a security researchers. It appears to be a low but credible risk.

The problem is all to do with the way many ad blockers work. In simple terms, they maintain a blacklist of URLs that host ads and other unwanted material. Whenever a website tries to load an ad from an URL on the list, it's blocked from doing so.

Since last summer some ad blockers, including Adblock Plus, added support for a feature called "$rewrite." With this feature, the ad blocker won't just block the unwanted URL from loading but will serve another ad instead.

'Volunteers' Could Turn Malicious

Sometimes this is just for aesthetic reasons, such as replacing the ad image with a cute cat picture (for example). Sometimes, it's for more practical reasons such as delivering third party content but bypassing tracking tools. Another use is forcing a website to skip straight to the main content of an embedded video rather than showing an ad first.

By design, $rewrite has several intentional limitations to stop this from being abused. However, researcher Armin Sebastian has shown that these limitations have security holes that make it possible for the ad blocker tool to replace the ad with malicious code that creates a security or privacy risk. (Source: bleepingcomputer.com)

Naturally the operators of the ad blocker wouldn't exploit these security holes. Instead, the problem lies with another ad blocker feature: third party blacklists which users can add on. These are often maintained by volunteers and the idea is to increase the likelihood of blocking newly created sources of advertising.

Feature Disabled For Safety

While most of these lists can be trusted, there have been cases where the blacklists have been abused. For example, one list blocked links to a set of websites on political grounds, even though they were nothing to do with advertising.

The makers of Adblock Plus say they not only vet all third parties who provide blacklists, but they also regularly check the lists themselves. However, they also said "It is our responsibility to protect our users, and despite the actual risk being very low, we have decided to remove the rewrite option and will accordingly release an updated version of Adblock Plus as soon as technically possible." (Source: adblockplus.org)

Attention Readers: A Note On Ad blocking

As always, when we mention ad-blocking tools, we should point out that ad revenue is absolutely vital to covering the staff and running costs that let us bring Infopackets articles to our audience. Most ad-blocking tools allow users to manually add a site to a white list, which means ads are still displayed on that site. We would be extremely grateful if our readers that use ad-blocking tools add Infopackets to their white list. Much thanks!

What's Your Opinion?

Do you use an ad blocker and if so, do you knowingly use any third party lists? Are you concerned that ad blockers could be compromised, either to block legitimate sites or deliver unwanted code? Do security researchers make too much of a big deal about flaws that are unlikely to be abused or is it better to nip potential problems in the bud?