[HN Gopher] uBlock, I exfiltrate: exploiting ad blockers with CSS
___________________________________________________________________
uBlock, I exfiltrate: exploiting ad blockers with CSS
Author : todsacerdoti
Score : 162 points
Date : 2021-12-06 14:13 UTC (8 hours ago)
(HTM) web link (portswigger.net)
(TXT) w3m dump (portswigger.net)
| _wldu wrote:
| Web security is completely broken. We have super complex web
| browsers (written in unsafe languages such as C++) that we try to
| secure by installing 'add-ons' and those have vulnerabilities
| that can steal our data.
|
| Who thinks this is a good idea for online banking?
| VWWHFSfQ wrote:
| That's why banks are responsible for the fraud risk, not the
| customer. It's pretty much the only way this can work. It's
| also why something like bitcoins will never replace traditional
| banking. Because people make mistakes or have their stuff
| stolen due to no fault of their own and they would have no
| recourse.
| nathanyz wrote:
| This is exactly my thoughts on crypto as well. Being unable
| to fix a "whoopsy" is the biggest weakness. Humans make
| mistakes, and computers make mistakes. When it comes to
| money, you need to be able to apply common sense and be able
| to reverse those mistakes.
|
| Crypto seems too absolutist for this use case. (Although I
| should mention that they seem to discuss rolling back the
| blockchain whenever a big heist takes place. But if you can
| rollback then chain, then doesn't that circumvent the core
| tenant of no trust needed as now you have to trust that the
| group doesn't decide to rollback the chain?)
| jaywalk wrote:
| I can't imagine any scenario where a majority of the miners
| decided to rollback the blockchain with Bitcoin itself
| surviving unscathed.
| blibble wrote:
| we saw that pretty much with ethereum vs. ethereum
| classic
| colinmhayes wrote:
| Ethereum has a clear leader.
| notyourwork wrote:
| That's right, as interesting as crypto currency may be it
| doesn't solve the customer fuck up problem in a way that the
| masses would tolerate.
| brokenmachine wrote:
| Couldn't insurance cover that gap?
| morrisdoris wrote:
| It's time to retire javascript and css and any Turing complete
| scripting/styling, running random code from random websites is
| just never gonna be safe.
| bennyp101 wrote:
| I dunno, 20 years ago it gave us an instant cup holder
| madars wrote:
| For those who might not have seen this reference:
| https://www.youtube.com/watch?v=gbVMdPDS1ak . Oh, VBScript,
| those were the times!
| _notathrowaway wrote:
| Laptops were so sexy back then.
| cortesoft wrote:
| If you got rid of JavaScript, it will mean that a lot of
| things that can be websites today would have to move to an
| application on your computer/phone. It is just shifting the
| security risk somewhere else.
| kyrra wrote:
| May as well have the web just be a series of PDFs, I've never
| heard of exploits in those! /s
|
| Even just rendering engines can have bugs that can be
| exploited by specially crafted content. While it reduces the
| attack surface, it would be a massive hit to usability of web
| pages.
| catlikesshrimp wrote:
| You should have specified somewhere that PDFs are also
| vulnerable. It is not common sense.
|
| On that, PDFs run scripts and use graphic libraries, they
| are not text documents.
| kyrra wrote:
| agreed, it was a bad example. You can fill them out like
| forms and the like.
| yjftsjthsd-h wrote:
| PDFs can have full-on javascript and everything, too
| seanw444 wrote:
| Gemini -\\_(tsu)_/-
| nonameiguess wrote:
| You write this seemingly as a joke, but someone a few
| months back actually posted a link to a blog that entirely
| consists of pdfs. What we really need is blogs that are all
| .txt files, to avoid the exploits in pdf active content.
| KarlKemp wrote:
| Name any CSS or JS exploit that had meaningful real-world
| impact in the last decade.
|
| In 20 years on the Internet, most without an ad blocker, I
| haven't suffered from any lapses in browser security (that I
| know of, sure, but I don't much care about those I don't know
| about)
|
| The tale of frequent compromises of browsers via ads is told
| merely to legitimize the practice of blocking even entirely
| plain and benign ads.
| jyrkesh wrote:
| Great, but you're computer-savvy. You know not to click the 9
| phony "Download" buttons and to find the nondescript text
| that says "Download link (slow)", and you probably don't even
| end up on sites like that in the first place.
|
| Nowadays, the first thing I do when "cleaning up" a non-tech
| friend/relative's computer is to install uBlock Origin. Since
| I started doing that, the number of repeat calls dropped
| precipitously. (To be honest, it's probably good for their
| fake news intake, too...)
|
| The web is a lot scarier for most people than you might
| realize if you've been successfully navigating away from
| sketchy sites for 30 years.
| Brybry wrote:
| People lose website account credentials, with meaningful life
| impacts, all of the time. Even simple image ads that are fake
| "click here to login" have tricked my elderly relatives
| before. I install an ad blocker on the computers of relatives
| out of reaction to real events that happened, not paranoia.
|
| You were never clickjacked?
|
| Never had pop-up or pop-under ads/windows created without
| your consent? Recursively? Crashing your browser?
|
| Never visited a page that was hijacked with an iframe?
|
| I've experienced a lot of malicious ads in my time on the
| internet, it baffles me that someone has not.
| danr4 wrote:
| computer security is generally broken, and will always be. Code
| will always have bugs, some of them will be security bugs.
| Always.
| prionassembly wrote:
| Yeah. But the web is like a VW Bug four-cycle motor rigged to
| a ratty tricycle overlaid with a stage-looking platform where
| large bears perform pole dances (poles glued to the
| tricycle's handle), and there's classrooms for ants on top of
| the heads of the bears and underneath it all the water level
| keeps rising...
|
| Maybe we should have a dozen protocols for different kinds of
| applications. (I mean user-facing applications!) Maybe online
| banking shouldn't involve CSS and JavaScript. Spending some
| time with Gemini is a real eye opener in this respect.
| [deleted]
| brokenmachine wrote:
| What's Gemini?
| josefx wrote:
| > This works because document.querySelector tolerates malformed
| selectors
|
| Of course it does. Is there a single web API that doesn't
| intentionally enable exploit smuggling by allowing malformed
| input?
| brundolf wrote:
| That's a pretty big leap to malice you just made there.
| kingcharles wrote:
| Don't think poster meant the APIs were designed to
| maliciously allow exploits. He meant they were intentionally
| developed to allow rotten code to work (because, sadly,
| rotten code is everywhere), and a by-product of that lax
| attitude _unintentionally_ allows exploits.
| brundolf wrote:
| "intentionally enable exploit smuggling" seemed pretty
| clear to me, but happy to be wrong
| mads_ravn wrote:
| I personally blame the robustness principle[1], which I think
| explains a lot of the accidental complexity in web programming.
|
| [1] https://en.m.wikipedia.org/wiki/Robustness_principle
| Spivak wrote:
| Over the years I've switched my philosophy to "be paranoid
| about what you accept, normalize inputs, randomize outputs,
| and fail loud and on purpose."
|
| Make it so that if the caller/client works at all then it
| must work correctly. Force them to handle errors and retry on
| things that might fail, values that might change, and if the
| result is something that must be parsed send it back in
| varying formats so they have to parse it.
| BiteCode_dev wrote:
| I understand the benefit of randomize output, but that's
| very costly.
| rplnt wrote:
| That's basically mantra of one of the most popular
| technologies of the past - php. And javascript to a degree.
|
| > Do anything, even the wrong thing, just work.
| Anthony-G wrote:
| Agreed. That's why I liked XHTML when it came out - it's hard
| to believe that's more than two decades ago! While HTML5 had
| lots of goodies, I liked the rigour that XHTML imposed on web
| authors.
| derf_ wrote:
| https://datatracker.ietf.org/doc/html/draft-iab-protocol-
| mai...
| LinuxBender wrote:
| Was this also tested against the CSS Exfil Protection addon?
| [1][2]
|
| [1] - https://www.mike-gualtieri.com/css-exfil-vulnerability-
| teste...
|
| [2] - https://addons.mozilla.org/en-US/firefox/addon/css-exfil-
| pro...
| tux1968 wrote:
| Not trying to be snide or make an accusation at all, but how is
| anyone supposed to know if this is actual protection or is a
| socially engineered exploit itself? When you go to the Firefox
| addon page it has a warning saying that Mozilla does not
| monitor it and that you should trust it yourself before using
| it.
| sharmin123 wrote:
| Learn Ethical Hacking And Save The World: Hacking Benefits:
| https://www.hackerslist.co/learn-ethical-hacking-and-save-th...
| SAI_Peregrinus wrote:
| This is essentially the same problem seen with various antivirus
| software implementations: uBlock helps prevent malicious ads from
| running, but (by nature) has access to run on just about any site
| and itself has to handle potentially malicious code. So it's a
| tempting target for attack, just like AV software is a tempting
| target for attack.
| dkonofalski wrote:
| I'm not sure I follow how this is useful. How does the CSS
| injection send that information back to anyone to make this
| useful? The most likely scenario is the font loading that they
| mention but that doesn't actually give the bad actor any useful
| information except for the characters used (without the order or
| number of times they're used) and potentially the site they're
| being entered on.
|
| This might work for very basic info/passwords but seems mostly
| useless unless someone has a way of then brute-forcing that
| information.
|
| I feel like there has to be something I'm missing here...
| yorwba wrote:
| > that doesn't actually give the bad actor any useful
| information except for the characters used (without the order
| or number of times they're used)
|
| Keep reading until the part where they use first-line to filter
| which part of the text to apply the font to and CSS animations
| to vary how long that first line is.
| SavantIdiot wrote:
| And the animation part to steal dupes. This guy is insane.
| I'm scared of everything now. If I was the author of Ublock
| Origin I probably would have just thrown up my hands and
| switched to pottery.
| dkonofalski wrote:
| I did. That still only tells you the first time those
| characters are used forwards and backwards. It's unhelpful
| for email addresses where the likelihood of repeated
| characters goes up a lot and for any passwords where there
| are multiples of the same character.
|
| It's still a security issue but it doesn't seem like one that
| would be very practical.
| DangitBobby wrote:
| Let's say your password is Refridg3r@t0r. How hard is it to
| guess that password if you are given the strings
| Refridg3@t0, r0t@3gdifeR? What about f.lastname@gmail.com
| => f.lastnme@gico, moc.liag@entsf? You try a handful of
| possible combinations using this knowledge, and if they
| don't work, you move on to the next target. Personally,
| some of my credentials would be very, very easy to guess
| given this information.
| dkonofalski wrote:
| That would be an easier target because it's a dictionary
| word and it's a single word. But what if your password is
| 'dogeatdogworld'? What if your password is
| 'x8GiuG08geejXx'?
|
| It just seems like it would only be useful for the most
| insecure username/password combos. Again, I'm not saying
| that it's not a security breach, but the usefulness seems
| limited unless someone is willing to try and brute force
| things for an unknown gain.
| DangitBobby wrote:
| I think it's fair to say that most laypeople's passwords
| are not particularly secure, but it's still not feasible
| to brute-force them unless you can conduct an offline
| attack. I think this makes an online attack much more
| feasible on an insecure (read, most) password.
| kingcharles wrote:
| Look at every time a huge password list leaks. I had
| access to a several million entry user table at the
| company I worked at in the early 2000s and the #1 pass
| was "trustno1" and the #2 was "12345678".
|
| Looking back, I have no idea why we stored the passwords
| in plaintext and I assume it stayed that way until the
| code was phased out in 2009. This app was used by some of
| the largest corps in the world, including Microsoft, and
| was live on the web.
| thehappypm wrote:
| Funny that I had not considered this particular attack vector
| before. Not only do you have to trust an extension to not be
| malware, you also have to trust that a good extension itself is
| not being exploited.
| staticassertion wrote:
| Interesting - the attack relies on a compromised rule list, but
| that doesn't seem super hard. I have no idea what goes into
| building one of those, where they're sourced from, etc.
| dewey wrote:
| You can select which "lists" you want to subscribe to when
| setting up the extension. One of the popular ones would be
| EasyList: https://github.com/easylist
|
| Compromising one of these would be as "simple" as getting a PR
| merged that wasn't reviewed carefully.
| a13n wrote:
| Did anyone go through the existing lists to see if someone had
| already been using this vulnerability? Didn't see anything about
| this in the write up... seems like it should be a part of
| responsible disclosure.
| golemiprague wrote:
| I don't mind seeing ads, in some way I even want it so I can
| support whoever supply whatever content I am consuming. What I
| don't like is the tracking of everything I do. What is the best
| extension to block the tracking but not the ads?
| ziddoap wrote:
| Although not having an easy path for security researchers to
| report vulnerabilities is not exactly great, what is commendable
| here is the speed at which these were addressed.
|
| > _2021-11-03 11:51 - I reported my bypass to uBlock Origin_
|
| > _2021-11-03 12:52 - uBlock Origin patched my bypass on master_
|
| > _2021-11-08 13:25 - Reported bug in cosmetic filter_
|
| > _2021-11-08 14:19 - uBlock Origin patched my cosmetic bypass_
|
| > _2021-11-08 15:35 - I bypassed the patch without using
| comments_
|
| > _2021-11-08 16:18 - uBlock Origin patched the cosmetic filter
| bypass_
|
| 61 minutes, 54 minutes, 43 minutes. Pretty quick!
| [deleted]
| netizen-936824 wrote:
| That's super impressive imo, and exactly what I would hope to
| see on a security product
| Causality1 wrote:
| Can we put these people in charge of Windows Update?
___________________________________________________________________
(page generated 2021-12-06 23:00 UTC)