Adblock Plus filter list is used to execute arbitrary code on a web page

Adblock Plus released a new 3.2 version on July 17, 2018, which introduced a new filter option $rewrite for rewriting requests. Immediately thereafter, AdBlock and uBlock have added support for this option. However, according to security expert Armin Sebastian, under certain conditions, the maintainer of the $rewrite filter option list can inject arbitrary code into the web page.

According to reports, the affected extensions have more than 100 million active users, and this feature can be easily exploited by attackers to attack any sufficiently complex Web services, including Google services, which are difficult to detect and can be used in all majors browser. Considering the nature and impact of vulnerabilities, Sebastian decided to publicly disclose the details of the exploit chain to ensure that the affected browser extensions and the Web were effectively mitigating.

Sebastian explained in his personal blog how to use this option to execute arbitrary code. He suggested that Adblock Plus remove the $rewrite option because it is vulnerable to abuse. Users can switch to another popular ad blocking extension, uBlock Origin, which does not support the $rewrite option and is therefore not affected by this attack.