http://www.theregister.co.uk/2007/08/13 ... e_leakage/
No biggie for me, just curious.
Does this exploit include Adblock Plus ?
I can't answer for Wladimir (still awaiting his return here) but I noticed they specifically targeted and linked to the old Adblock and not Plus ... and the article only talked about being able to see the whitelist strings. Don't know if Adblock and ABP uses the same mechanism for whitelisting. One of Wladimir's updates a while back was to code ABP to keep from being recognized by servers. ABP may not apply here.
It seems a very trivial thing even on ANY Adblock version that someone could actually see a whitelist string. What could that info possibly be any good for? How would that reveal a "traffic pattern" (as the article alludes to)? All filterlists are open to the public anyway, so what would that 'secret' mean to a hacker? And would I actually have to be visiting the whitelisted site for that info to be seen by THAT site?
I think it was stupid for that article to use Adblock as an example .... is that the best they could do?
It seems a very trivial thing even on ANY Adblock version that someone could actually see a whitelist string. What could that info possibly be any good for? How would that reveal a "traffic pattern" (as the article alludes to)? All filterlists are open to the public anyway, so what would that 'secret' mean to a hacker? And would I actually have to be visiting the whitelisted site for that info to be seen by THAT site?
I think it was stupid for that article to use Adblock as an example .... is that the best they could do?
The only thing you can detect like this is whether a certain extension (and/or browser) is both installed and active. You CANNOT access the settings made in the extension or any other "live" data, even though they say so.
But this way can't be used to detect Adblock Plus because Wladimir Palant noticed this bug already some time ago and implemented a work around. But there are easier ways, like just looking whether the ads exist or not
But this way can't be used to detect Adblock Plus because Wladimir Palant noticed this bug already some time ago and implemented a work around. But there are easier ways, like just looking whether the ads exist or not
-
pondhopper
Very educational, thanks!
I had a hunch it was the bug talked about, way back in the past. And patched
Rick, I agree - the article should not have used "old Adblock" as an example. And if- the site didn't require email registration and the possibility of getting spammed in my mailbox afterwards- I'd write a comment about that
I had a hunch it was the bug talked about, way back in the past. And patched
Rick, I agree - the article should not have used "old Adblock" as an example. And if- the site didn't require email registration and the possibility of getting spammed in my mailbox afterwards- I'd write a comment about that
-
elvisthepelvis
- Posts: 23
- Joined: Sat Aug 18, 2007 7:50 am
hahaha the article was a joke right?
In order to get exploited you got to be allowing javascript, but in my experience it pays to have both a scriptblocker and an adblocker. They both have their specialist uses and combined are really powerful.
I dont know anyone who is using firefox that does not use both a scriptblocker and adblock plus
the scriptblocker is a blunt instrument you can use to ride roughshod over scripts while the adblocker can be much more surgical if necessary
In order to get exploited you got to be allowing javascript, but in my experience it pays to have both a scriptblocker and an adblocker. They both have their specialist uses and combined are really powerful.
I dont know anyone who is using firefox that does not use both a scriptblocker and adblock plus
the scriptblocker is a blunt instrument you can use to ride roughshod over scripts while the adblocker can be much more surgical if necessary
-
Wladimir Palant
This article was not a joke but just plainly stupid. What they refer to as a vulnerability actually isn't one, you cannot possible get any sensitive data this way. Oh, and you cannot get anything from Adblock Plus anyway - because of http://adblockplus.org/en/faq_internal#protectchrome