Ad Blockers Could Be Hijacked

John Lister's picture

A feature used in several ad blocker tools could be used to "booby trap" websites according to a security researchers. It appears to be a low but credible risk.

The problem is all to do with the way many ad blockers work. In simple terms, they maintain a blacklist of URLs that host ads and other unwanted material. Whenever a website tries to load an ad from an URL on the list, it's blocked from doing so.

Since last summer some ad blockers, including Adblock Plus, added support for a feature called "$rewrite." With this feature, the ad blocker won't just block the unwanted URL from loading but will serve another ad instead.

'Volunteers' Could Turn Malicious

Sometimes this is just for aesthetic reasons, such as replacing the ad image with a cute cat picture (for example). Sometimes, it's for more practical reasons such as delivering third party content but bypassing tracking tools. Another use is forcing a website to skip straight to the main content of an embedded video rather than showing an ad first.

By design, $rewrite has several intentional limitations to stop this from being abused. However, researcher Armin Sebastian has shown that these limitations have security holes that make it possible for the ad blocker tool to replace the ad with malicious code that creates a security or privacy risk. (Source:

Naturally the operators of the ad blocker wouldn't exploit these security holes. Instead, the problem lies with another ad blocker feature: third party blacklists which users can add on. These are often maintained by volunteers and the idea is to increase the likelihood of blocking newly created sources of advertising.

Feature Disabled For Safety

While most of these lists can be trusted, there have been cases where the blacklists have been abused. For example, one list blocked links to a set of websites on political grounds, even though they were nothing to do with advertising.

The makers of Adblock Plus say they not only vet all third parties who provide blacklists, but they also regularly check the lists themselves. However, they also said "It is our responsibility to protect our users, and despite the actual risk being very low, we have decided to remove the rewrite option and will accordingly release an updated version of Adblock Plus as soon as technically possible." (Source:

Attention Readers: A Note On Ad blocking

As always, when we mention ad-blocking tools, we should point out that ad revenue is absolutely vital to covering the staff and running costs that let us bring Infopackets articles to our audience. Most ad-blocking tools allow users to manually add a site to a white list, which means ads are still displayed on that site. We would be extremely grateful if our readers that use ad-blocking tools add Infopackets to their white list. Much thanks!

What's Your Opinion?

Do you use an ad blocker and if so, do you knowingly use any third party lists? Are you concerned that ad blockers could be compromised, either to block legitimate sites or deliver unwanted code? Do security researchers make too much of a big deal about flaws that are unlikely to be abused or is it better to nip potential problems in the bud?

Rate this article: 
Average: 5 (7 votes)


SteveMann's picture

"We would be extremely grateful if our readers that use ad-blocking tools add Infopackets to their white list. Much thanks!"

WHEN will webmasters learn that 30 or 40 ads on a single page is just too much?

Infopackets is on my whitelist because there are usually less than ten ads blocked, but it's not unusual for me to see ADP blocking 30, 40 even more than 50 ads If the ad-supported sites would just learn moderation, there would be a lot less need for ad blockers.

Dennis Faas's picture

I agree with you, though based on my experience the number of ads being displayed also has to do with ad inventory.

For example, we use Vibrant Media and Google as ad partners. Some days Vibrant Media doesn't display any ads (or very few), and other days there are many ads on a single page and that can be annoying. Unfortunately we don't have control over how many ads are displayed on a single page.

On the other hand, some websites use horrible ad networks which spam the entire page. Or they use ad networks that force popups on the screen. Those type of sites are horribly annoying.

lgitschlag_3159's picture

I agree with SteveMann.

davolente_10330's picture

Agree. Way too many distracting ads. on many sites. I appreciate that sites have to be funded but many are OTT.