Potential vulnerability through the URL rewrite filter option · 2019-04-15 21:58 by Laura Dornheim
Hours ago we were made aware that the rewrite option that we provide for filter list authors can potentially be abused by a malicious filter list author to execute third-party code on a website. We consider this to be a very unlikely scenario mainly for two reasons:
1. We vet all authors who contribute to filter lists that are enabled in Adblock Plus by default
2. We examine these filter lists regularly.
While exploiting this issue is non-trivial and will only work for some websites, we take it very seriously. We already confirmed that no common filter lists abused this filter option.
This means that there is no existing threat to any user of Adblock Plus.
Support for the rewrite option was added to give filter list authors more control when dealing with pre-roll video ads. We were aware of security concerns regarding this feature, discussed this extensively and implemented restrictions to mitigate any risk. As demonstrated by Armin Sebastian now, these measures weren’t sufficient for some websites.
It is our responsibility to protect our users, and despite the actual risk being very low, we have decided to remove the rewrite option and will accordingly release an updated version of Adblock Plus as soon as technically possible.We are doing this as a measure of precaution. There has not been any attempt of abusing the rewrite option and we will do everything we can to ensure this won’t happen.
We are additionally looking into other options such as restricting all filter lists to https, which is already the case for the default activated lists.
Adblock Plus has always been an open source project building on the great work of a community of contributors. Protecting our users from annoying ads while protecting their privacy is our number one concern.
We have extremely high standards for testing and quality control for every line of code we publish. Striving for the best possible code also means that we highly appreciate being made aware of any potential vulnerabilities that we didn’t spot so we can fix them as fast as possible.
You can always use firstname.lastname@example.org to reach out to us!
This post was originally published on April 15th, 21:58 CEST and has been edited and updated with further details.
First update: April 16th, 10:31 CEST
Second update: April 16th, 12:58 CEST