Has Facebook outsmarted Adblock Plus in cat-and-mouse ad blocking game?įacebook's battle with ad blockers has intensified after launching an ad-blocker bypass for its desktop site - and Adblock Plus has struck back. Publishers have a right to choose who they're serving their content to." Previous coverage "We intentionally do not circumvent paywalls. The search biz is focused on issues other than filter trust, like replacing the webRequest API, which evaluates rules in the browser (where they can be changed) rather than in the JavaScript engine (where declared rules remain fixed)."We respect the publishers' settings and their decisions," she added. One of the reasons Google cites for its controversial Manifest v3 plan to change the APIs available to Chrome extensions is security. The Register asked Google to confirm that it doesn't see this as a Chrome security problem, but we've not yet heard back. Sebastian said the risk can be mitigated by whitelisting known origins with the connect-src CSP header or by omitting server-side open redirects. In addition to further restrictions being considered for $rewrite, Adblock Plus says may restrict all filter lists to https, which is currently the case for default activated lists. We are working on fixing this exploit," the company said. "Nevertheless, there are still websites where this option can be used to run malicious software and we know that it is our responsibility to protect our users from such attacks. The company, which posted a longer statement on its website, said it considers exploitation unlikely (and hasn't seen any exploitation attempts) because it vets authors who contribute to filter lists enabled in Adblock Plus by default and it examines filter lists regularly. Still, makes the case that the possibility exists and this needs to be taken into account by users according to how they personally choose to assign trust."Īdblock Plus said $rewrite has been restricted to prevent it from executing any scripts but, despite Content Security Policy settings, "certain websites allow the interpretation of plaintext from a third party as code and execute it." those used by default by the affected blockers. In an email to The Register, Hill said, "The exploit requires that a filter list maintainer go rogue, an unlikely scenario, especially for prominent filter lists, i.e. "Even with strictly same origin, a malicious filter list author could add bad stuff to a network request," he wrote, noting that he preferred an option called querystrip that removes but does not rewrite URL query parameters.Īs netizens, devs scream bloody murder over Chrome ad-block block, Googlers insist: It's not set in stone (yet) READ MORE Specifically, he worried same-origin restrictions would not be enough because sites like GitHub can have the same origin () while giving different people control over content on different pages. Raymond Hill, the creator of rival content blocking extension uBlock Origin, last year said he would not be implementing $rewrite because of security concerns. "This method allows delivering payloads on a per request basis, you may be targeted, exploited and the evidence cleared from the extension storage, without needing to publish the payload as part of a public filter list," he said. Sebastian said he was unaware of whether anyone has been exploiting filtering lists thus, but said manipulation would be difficult to detect. That is quite the leap from how users perceive ad blockers to work." The $rewrite filter option, when chained with other security issues from web services, enables account takeovers and the exfiltration of private data. Adblock Browsers built-in ad-blocking technology is superior to any other free adblocker browser. "In the past the worst that could have happened was for a malicious filter list provider to block access to a site, which would have been a minor annoyance that is easy to spot. Made by the Adblock Plus team, Adblock Browser is fast, free, fair and secure. "The new feature is a fundamental shift from how ad blockers are understood to work," said Sebastian in a Twitter conversation with The Register. Adblock Plus is among the old guard of ad blockers, and its easy to see why it has lasted so long.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |