Adblock Plus

Ads were yesterday!
https://forum.adblockplus.org/

Does this exploit include Adblock Plus ?

https://forum.adblockplus.org/viewtopic.php?f=1&t=1563

Page 1 of 1

Does this exploit include Adblock Plus ?

Posted: Mon Aug 13, 2007 9:31 pm
by pondhopper
http://www.theregister.co.uk/2007/08/13 ... e_leakage/

No biggie for me, just curious.

Posted: Mon Aug 13, 2007 10:36 pm
by rick752
I can't answer for Wladimir (still awaiting his return here) but I noticed they specifically targeted and linked to the old Adblock and not Plus ... and the article only talked about being able to see the whitelist strings. Don't know if Adblock and ABP uses the same mechanism for whitelisting. One of Wladimir's updates a while back was to code ABP to keep from being recognized by servers. ABP may not apply here.

It seems a very trivial thing even on ANY Adblock version that someone could actually see a whitelist string. What could that info possibly be any good for? How would that reveal a "traffic pattern" (as the article alludes to)? All filterlists are open to the public anyway, so what would that 'secret' mean to a hacker? And would I actually have to be visiting the whitelisted site for that info to be seen by THAT site?

I think it was stupid for that article to use Adblock as an example .... is that the best they could do?

Posted: Tue Aug 14, 2007 12:12 am
by Dr. Evil
The only thing you can detect like this is whether a certain extension (and/or browser) is both installed and active. You CANNOT access the settings made in the extension or any other "live" data, even though they say so.

But this way can't be used to detect Adblock Plus because Wladimir Palant noticed this bug already some time ago and implemented a work around. But there are easier ways, like just looking whether the ads exist or not ;-)

Posted: Tue Aug 14, 2007 12:33 am
by pondhopper
Very educational, thanks!

I had a hunch it was the bug talked about, way back in the past. And patched 8)

Rick, I agree - the article should not have used "old Adblock" as an example. And if- the site didn't require email registration and the possibility of getting spammed in my mailbox afterwards- I'd write a comment about that :wink:

Posted: Tue Aug 14, 2007 3:02 am
by rick752
They may have used the old Adblock because that exploit may not work with Plus.

Posted: Sun Aug 19, 2007 4:44 pm
by elvisthepelvis
hahaha the article was a joke right?
In order to get exploited you got to be allowing javascript, but in my experience it pays to have both a scriptblocker and an adblocker. They both have their specialist uses and combined are really powerful.
I dont know anyone who is using firefox that does not use both a scriptblocker and adblock plus

the scriptblocker is a blunt instrument you can use to ride roughshod over scripts while the adblocker can be much more surgical if necessary

Posted: Fri Sep 14, 2007 2:05 am
by Wladimir Palant
This article was not a joke but just plainly stupid. What they refer to as a vulnerability actually isn't one, you cannot possible get any sensitive data this way. Oh, and you cannot get anything from Adblock Plus anyway - because of http://adblockplus.org/en/faq_internal#protectchrome
All times are UTC+02:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited