(The quickest way to register)

Forum

  1. User picture
    • osfijwoei390WEFw23sf on Sun 08 Nov 2009
    • 10:08:14 PM UTC

    Possible security risk with Adblock Plus subscriptions

    I've been reading up on some articles about the security risk posed by non-encrypted updates for Firefox extensions. Then, I checked out my Adblock Plus subscriptions and the subscriptions page for Adblock Plus at http://adblockplus.org/en/subscriptions. It hit me that these subscriptions are not required to use SSL encryption! I believe some of the Adblock Plus subscriptions use encryption and some don't.

    For example, if you subscribe to the Malware Domains subscription, it subscribes to the list at http://malwaredomains.lanik.us/malwaredomains_full... and downloads that file for updates.

    However, there is no encryption for this URL, which means that it is vulnerable to a man in the middle attack where someone could alter the file in transit. For example, a possible scenario for attack would be if you are on a public wireless hotspot and Adblock Plus does a subscription update. A hacker could be on the same hotspot with a packet sniffer and watch for requests to known subscription locations. The hacker could then spoof packets for the update file and you would not know that it occurred. This could seriously mess with the workings of Adblock Plus and poses a security risk.

    Anyone have thoughts on this? Should I unsubscribe from the Malware Domains list until it gets SSL encryption?

Comments:

  2. User picture
    • hotdoge3 on Sun 08 Nov 2009
    • 11:22:07 PM UTC

    and unsubscribe Microsoft as

    and unsubscribe Microsoft as well and all up dates, to do that in Firefox tools, Options ,Advanced, up date, ask me what I want to do.
    may help you may know this you not safe on the net.
    • User picture
      • osfijwoei390WEFw23sf on Sun 08 Nov 2009
      • 11:31:38 PM UTC

      That's the separate update for

      That's the separate update for all extensions. The subscription updates in Adblock Plus are done by the extension itself. Although, you can disable those updates. But the real problem is the vulnerability of Adblock Plus subscriptions to man in the middle attacks because some subscriptions are simply download as plain text files with no encryption.
  3. User picture
    • jpvip on Mon 09 Nov 2009
    • 12:12:48 AM UTC

    ...

    Those AdBlock Plus subscriptions were in an advisory last summer, if not before. This is nothing new. I stopped using subscriptions late last year. lol

    ~DragonMaster Jay, malware researcher,
    Admin, helpmyos.com
    • User picture
      • osfijwoei390WEFw23sf on Mon 09 Nov 2009
      • 12:17:43 AM UTC

      Got a link for that

      Got a link for that advisory? Also, do you know if there is anyway to check the URL's that Firefox extensions contact for updates in the Addons window of Firefox?
  4. User picture
    • jpvip on Mon 09 Nov 2009
    • 02:51:08 AM UTC

    :::List:::

    These are just a few indirect vulnerability. You have to be a developer and registered through the Mozilla network to be able to access bug advisories specific for add-ons. However, AdBlock Plus has CONSTANTLY been plagued with attacks from Internet users, because companies hate when their ads are blocked. There are critics and trolls that have taken strong stance again AdBlock Plus - and will slander them constantly. Other than seeing a few minor vulnerabilities, I see no other advisories for AdBlock Plus.

    Firefox 2.0 warning: http://adblockplus.org/blog/to-anybody-using-firef...

    Use of SSL to keep the hackers out: http://adblockplus.org/blog/adblockplusorg-now-wit...

    Public vulnerability advisory for Dec. 2008: http://adblockplus.org/blog/filtersetg-webpage-has...

    The private one is available to developers. Unfortunately, I cannot give a link to the page, because it requires an account to access.

    ~DragonMaster Jay, malware researcher,
    Admin, helpmyos.com
  5. User picture
    • g7w on Mon 09 Nov 2009
    • 03:20:11 AM UTC

    MDC

    https://developer.mozilla.org/en/Install_Manifests...
    -------
    WOT Services Ltd. - gives us safety through Web of Trust.
    WOT Community - gives us security through unity.
    Thank you all
    - G7W
  6. User picture
    • osfijwoei390WEFw23sf on Mon 09 Nov 2009
    • 03:34:03 AM UTC

    Thanks for the info, guys.

    Thanks for the info, guys. That pretty much answers my question. I will unsubscribe from the Malware Domains list until it uses SSL to transfer the list.
    • User picture
      • g7w on Mon 09 Nov 2009
      • 03:43:53 AM UTC

      update key?

      does your extension utilize an update key? If so, then HTTPS is not required; read the link I posted. I do not use AdBlockPlus, so I don't know...
      -------
      WOT Services Ltd. - gives us safety through Web of Trust.
      WOT Community - gives us security through unity.
      Thank you all
      - G7W
      • User picture
        • osfijwoei390WEFw23sf on Mon 09 Nov 2009
        • 03:50:37 AM UTC

        I don't think it does. There

        I don't think it does. There is no mention of the usage of an update key for the subscriptions. The Malware Domains list is accessible as plain text over HTTP and AdblockPlus shows the URL it uses to grab the list from. It's looks to be a security hole where some subscriptions have authentication and others don't.
  7. User picture
    • jpvip on Mon 09 Nov 2009
    • 04:11:19 AM UTC

    I recommend....

    To use a HOSTS file over AdBlock Plus. MysteryFCM does hpHosts, which is the only good one from my understanding. I am not sure of others. A HOSTS file, especially one to block ad networks, would be better to use than AdBlock Plus.

    ~DragonMaster Jay, malware researcher,
    Admin, helpmyos.com
  8. User picture
    • demonluo on Tue 10 Nov 2009
    • 01:57:53 AM UTC

    i perfer

    i perfer hostsman...
    http://www.abelhadigital.com/