Security Researcher Armin Sebastian has found a bug from adblocker plus. It can allow hackers to read a victim’s Gmail and look into other Google services.
Adblock Plus is the famous and popular free advertisement blocker. This extension with millions of users and run in all the major web browsers including Chrome, Edge, Firefox, Opera and Safari.
The bug allows the attacker to inject malicious code into several Google services including Gmail, Google Images and Google Maps in attacks that are difficult to detect. Full detail report.
“The $rewrite filter option is used by some ad blockers to remove tracking data and block ads by redirecting requests,” Sabastian said in the post. “The option allows rewrites only within the same origin, and requests of SCRIPT, SUBDOCUMENT, OBJECT and OBJECT_SUBREQUEST types are not processed.”
The following criteria must be met for a web service to be exploitable using this method:
- The page must load a JS string using XMLHttpRequest or Fetch and execute the returned code.
- The page must not restrict origins from which it can fetch using Content Security Policy directives, or it must not validate the final request URL before executing the downloaded code.
- The origin of the fetched code must have a server-side open redirect or it must host arbitrary user content.
Google has been notified about the exploit, but the report was closed as “Intended Behavior”, since they consider the potential security issue to be present solely in the mentioned browser extensions.
Please note that the vulnerability is not limited to Google services, other web services could be affected as well.