There is a CSS injection vulnerability in the ad blocking extension 'uBlock Origin' that steals user passwords



The ad blocking feature to hide ads on your website prevents your PC from being compromised by malicious ads. However, it was reported that the ad blocking extension ' uBlock Origin ' had a vulnerability that could steal the information entered by the user on the website by exploiting the mechanism to block ads.

uBlock, I exfiltrate: exploiting ad blockers with CSS | PortSwigger Research
https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css



The ad blocking extension that hides ads that appear on your website uses a community-provided 'filter list' to decide whether to accept or block web resources. And this filter list mainly consists of two types of rules: 'network rules' that explain URLs that should be blocked and 'cosmetic rules' that explain page elements (CSS / stylesheets) that should be hidden. I will . For example, the network rule says 'block communication with ad.com', and the cosmetic rule says 'hide [div id =' ad '] [/ div] in the page'. Filter lists are important for ad blocking, but they can also serve malicious lists.

On August 25, 2021, Tavis Ormandy reported that the ad blocking extension 'uBlock Origin' was vulnerable to CSS injection.

CSS injection literally inserts code into the CSS used by your website. Websites where code can be inserted by a malicious third party can be tampered with by obscuring existing HTML elements or creating new pseudo-elements. As mentioned above, ad blocking uses CSS, and by using the CSS injection vulnerability that exists in uBlock Origin, it is possible to manipulate the display of various websites that users browse. In fact, Ormandy is demonstrating the display of the Google logo on the sample URL.



On the day Ormandy pointed out, uBlock Origin distributed the patch, which once fixed the problem, but on November 3rd, it became clear how the patch could be bypassed. Security researcher Gareth Hayes tested it with CSS fuzzing and found that it was possible to extract data from a website with multiple CSS injections.

In the first place, CSS injection is used in attacks such as stealing passwords, etc., targeting CSS attribute values. This technique is attribute value based and basically can't read the user's keystrokes themselves, but according to Hayes, by defining a separate font for each text field on the website, even without JavaScript. It is possible to implement a keylogger. You can also steal script elements by assigning individual fonts only to the first character of the block element, Hayes said.

You can check the details of the attack from the following.

GitHub --PortSwigger / css-exfiltration
https://github.com/PortSwigger/css-exfiltration



uBlock Origin provides a powerful filter for ads, preventing your computer from being compromised by malicious attacks. On the other hand, Hayes cautioned that it is vulnerable to CSS injection and could steal information from any website or web page if a user loads a malicious filter. .. In response to Mr. Hayes's report, uBlock Origin immediately distributed the patch, released the stable version on November 22, updated the Firefox version, and updated the Chrome version on December 3.

in Security, Posted by logq_fa