CVE-2015-2692 - AdBlock Filter Injection
During investigation of common practices for subscribing to Adblock Plus filter lists among adblockers, I took a closer look at AdBlock's implementation.
I installed AdBlock for Chrome, went to the Adblock Plus subscriptions page, clicked on the link "Prebake" and noticed that AdBlock opened up a new window indicating that the filter list is being added. After that window closed I verified in AdBlock's options page that the list has indeed been added without asking me to confirm this action.
Description
AdBlock does not request user confirmation when a click mouse event on an anchor tag that is referencing an Adblock Plus subscription URI is triggered on a webpage. This allows a webpage to add arbitrary filters to AdBlock without prior user consent.
Impact
A website can embed an HTML anchor tag with its href attribute containing an Adblock Plus subscription URI. A "click" mouse event can then be dispatched on the anchor tag using JavaScript to tell AdBlock to add the filter list which is referenced in the URI.
This approach allows any webpage to add arbitrary filters to AdBlock without the user's consent. Those filters could, for instance, (a) block specific resources on competing websites, (b) block all resources, (c) disable all existing blocking filters and (d) disable specific blocking filters targeting resources on the webpage which would've otherwise been blocked.
Affected system configurations
- Chromium-based browsers that support Chrome extensions with AdBlock 2.0.4 (from June 2010) and newer
- Safari with AdBlock 2.0.4 (from June 2010) and newer
- Gecko with AdBlock (all versions)
Communication
The vulnerability was reported on March 13 as a private discussion at support.getadblock.com. On March 20 the vendor announced that AdBlock 2.21 for Chrome, Opera and Safari includes a fix for this issue which is described in the extension's changelog as follows:
Added a user confirmation prompt when subscribing to a new filter lists using the ABP syntax. (#486)
There doesn't appear to be an official message about it but AdBlock 2.1 for Firefox includes that same fix. However, due to the removal of the AdBlock extension from Mozilla Add-Ons and the lack of an update URL in versions prior to 2.1, existing AdBlock users have not automatically been updated to a version that contains this fix.