1

uBlock is open source and suppose I trust the author. But filter lists are something that is maintained by other people. Is it possible to add something to a filter list to compromise computer/browser, for example, get my data and send them to the attacker's server?

The question was emerged by reading:

High-medium generic filters are implemented as follow: All the high-medium generic filters which matches the 8 first characters of the URL of a link on a web page will be seen as relevant to the web page and thus a CSS selector based on these filters will be injected in the web page, in order to hide the unwanted links.

If the author of the extension not only hides DOM elements, but injects something (CSS?, only CSS?, is safe to inject CSS?) to the page, can it be possible to inject JS script to all my pages, which will send my data to the attacker's server?

schroeder
  • 123,438
  • 55
  • 284
  • 319
ceth
  • 725
  • 1
  • 6
  • 17

1 Answers1

2

Without doing a complete code review of uBlock, the answer would be "yes" the author of an extension that has access to modify the DOM could add and remove CSS and JS. The LastPass chrome extension injects javascript to form-fill passwords. uBlock uses CSS and blocks remote library requests. Both of these permissions can lead to vulnerabilities and unintended consequences such as the recent revelation that CSS can be used to steal credit card information under certain circumstances.

I have personally seen rogue extensions that have been installed on customer machines that add "Russian Bride" and pharmacy ads to Google's homepage by modifying the DOM.

That being said, the community that works with uBlock block lists are diligent, and if there was a problem, I would imagine it would be short lived.

In the end, as you pointed out in your question, you have to decide if you are going to trust the extension and the author.

TBridges42
  • 223
  • 2
  • 10
DrDamnit
  • 854
  • 4
  • 12
  • 2
    Can blocklists actually inject CSS/JavaScript into websites? How powerful is the syntax of these blocklists? I though it is nothing more than a host blacklist... – Philipp Aug 06 '17 at 19:41
  • 4
    The CSS uBlock Origin uses is to apply the style property `display: none !important;` to **existing** DOM elements on the page to visually remove them. The CSS trick you link to requires to inject **new** DOM elements on the page, something uBO doesn't do (aside `style` tags as said above for browsers not supporting user styles, i.e. Chrome, Edge, etc.) uBO may also inject `script` tags to deal with hard cases such as anti-blocker, but the content of these scriptlets are completely under control of the project, no external filter list authors can create scriptlet. – R. Hill Aug 06 '17 at 21:15