CVE-2015-2692 - AdBlock Filter Injection
I installed AdBlock for Chrome, went to the Adblock Plus subscriptions page, clicked on the link "Prebake" and noticed that AdBlock opened up a new window indicating that the filter list is being added. After that window closed I verified in AdBlock's options page that the list has indeed been added without asking me to confirm this action.
AdBlock does not request user confirmation when a click mouse event on an anchor tag that is referencing an Adblock Plus subscription URI is triggered on a webpage. This allows a webpage to add arbitrary filters to AdBlock without prior user consent.
This approach allows any webpage to add arbitrary filters to AdBlock without the user's consent. Those filters could, for instance, (a) block specific resources on competing websites, (b) block all resources, (c) disable all existing blocking filters and (d) disable specific blocking filters targeting resources on the webpage which would've otherwise been blocked.
Affected system configurations
- Chromium-based browsers that support Chrome extensions with AdBlock 2.0.4 (from June 2010) and newer
- Safari with AdBlock 2.0.4 (from June 2010) and newer
- Gecko with AdBlock (all versions)
The vulnerability was reported on March 13 as a private discussion at support.getadblock.com. On March 20 the vendor announced that AdBlock 2.21 for Chrome, Opera and Safari includes a fix for this issue which is described in the extension's changelog as follows:
Added a user confirmation prompt when subscribing to a new filter lists using the ABP syntax. (#486)
There doesn't appear to be an official message about it but AdBlock 2.1 for Firefox includes that same fix. However, due to the removal of the AdBlock extension from Mozilla Add-Ons and the lack of an update URL in versions prior to 2.1, existing AdBlock users have not automatically been updated to a version that contains this fix.