Is Adblock (Plus) a security risk?
My email-provider's website (
http://www.gmx.de) recently started linking to the (German) site
http://www.browsersicherheit.info/which basically claims that due to its capabilities to modify a site's appearance, Adblock Plus (and others) might actually be abused for phising. Here's a quote from that site plus its translation:
Solche Add-ons haben Zugriff auf alle Ihre Eingaben im Browser und können diese auch an Dritte weitergeben – auch Ihr Bank-Passwort. Dies kann auf allen Web-Seiten passieren. Sicherheitsmechanismen wie SSL können das nicht verhindern.
Such addons can access all your browser's input and can also forward them to third parties - even your banking password. This can happen on all websites. Security mechanisms such as SSL cannot avoid that.
Ok, they mention other (pretty obviously crapware) addons, but is Adblock Plus really a security threat or do that site's operators simply use the opportunity to try and scare inexperienced users into viewing their ads again?
This boils down to: Don't run any applications you don't trust. If Adblock were evil, it could steal your login data. If any other executable you run were evil it could do so as well.
Can you clarify the question? Are you asking if Addons like Adblock could _theoretically_ be a security risk, or are you asking if Adblock is _currently_ a security risk?
@MooingDuck Good point - I'm asking about _currently_, since theoretically that should be clearly possible, right?
I wonder how many users started using Adblock Plus after reading all the articles about this? Some entities should really consider the Streisand effect before starting a blackmail campaign.
**Update:** The FUD-site admins (or Adblock itself :) meanwhile removed the adblockers from the list of "bad-ons" (oh dear, that word-creation alone makes me think of B-movies). In addition, Adblock now offered me the option to hide FUD-banners on GMX's homepage. Guess that's not exactly the effect they hoped for...
To be fair, there's been a large number of malware adblock clones in the Chrome webstore. I've reported a few before and eventually got them taken down but have given up now. Some went as far as copying the exact descriptions and icons from the legitimate adblock extensions to get hits. You couldn't tell the difference between `Adblock` and `Adb1ock`. Then with all the fake 5-star ratings... it's hard to tell what is actually legitimate. Just look at all the "Adblock for XXX" extensions that claim to work and all the comments that state otherwise. Just be smart about what you download people.
@JeffMercado Isn't that a serious problem with Chrome's webstore then? I don't remember such BS happening at Mozilla...
It is, definitely. I'm just saying, people can be mislead to think that these clones come from the makers of the legitimate adblock versions. They might think that clone adblock was a scam so all of adblock (clone or not) are scams. It's possible that someone at GMX got burned by this and without really researching this, pushed for this campaign.
It is open source software after all, that should kill tihs issue once and for all.
Conversely, Adblock is a form of security. Before installing it on Android, I was bombarded with ads prompting me to install an advertiser's app.
@Federico Basically it shows and lets you block any tracking, adding and nagging parts of websites: https://www.ghostery.com/
Tobias, I know and I use it, I was asking because the question of @TheRookierLearner seemed sarcastic and I couldn't understand.
@Federico I thinks their point was to mockingly suggest using another addon to check how trustworthy adblock is, which merely delegates ones trust from adblock to ghostery...
@Federico - Ya, I am indeed suggesting another add-on. On a different note (about the point that there are multiple add-ons), if you search Google Web Store of extensions for "adblock" you'd get many results like "adblock pro", "adblock premium", "adblock plus" (and the list goes on) and you don't know which is the legit one. Search for "ghostery" on te other hand, you get only one extension. I'm not a fan of ghostery but for some reason it doesn't seem to have multiple copy extensions (and doesn't add to confusion which "adblock" creates)
For the sake of answer, I just went to Ghostery's website and found this: ` Also, its website clearly states:`Ghostery does not collect any data by default. You may choose to send us data by enabling the Ghostrank feature. ` (more in their privacy statement, EULA and FAQs). Again, I just want to assert that I'm not Ghostrey's fan or promoter (in-fact it sometimes breaks some pages and doesn't block the ads on YouTube) but it doesn't have the confusion (or other crap like "accessing user input") as is the case with other ad-blockers.
I just thought it's important to share this. After using adblock plus I had malware issues. I had adblock installed on my android. I've had my phone for over a year with no issues. After using adblock I would get a popup to adcasch site everytime I unlock my screen. It was very suspicious because it appears in my phones default browser which I never use. I only ever use a third party installed Chrome. I have an anti virus on my phone. It scanned and found no threats. I suspected ad block as it was the last app a downloaded that gave so many permissions to the app. I disabled the app within my
At best this is anecdotal evidence. Are you sure that you installed The real AdblockPlus from adblockplus.org? This isn't really an answer (yet).
Just sharing: I stopped using Adblock Plus because it consumed too much resources on my computer at the time. Now I'm always using my custom VPN, so I made it also be a DNS server, and resolve the known ad and tracking hosts to `0.0.0.0`. Problem solved: ads and tracking unobtrusively disabled on the network level on all my devices configured to use this VPN.
It is not. This is a FUD (fear, uncertainty, and doubt) campaign by GMX because they want to display their ads. There is absolutely no security risk from the mentioned ad blockers. They added some crapware to the list to make it look more legitimate.
Of course such campaigns are very unusual, especially from such a big and well known company like GMX. Unfortunately, I have no English source at hand (because it's a German only campaign) but since you speak German you may want to read this article at heise.de.
Update #1: United Internet, the company behind GMX, received a lot of criticism for misleading customers by falsely claiming that there is a security risk on their PC. The Wall Street Journal (German edition) named the warnings displayed on GMX and the site they link to a "scare campaign".
Update #2: GMX now says that they will no longer display the link when you use ad blockers but will still display it if you use crapware that injects adverts, the list at the site
http://www.browsersicherheit.info/has been updated accordingly and now lists only a small collection of crapware. This list is by no means complete so it is not a reliable source when you want to know if your browser has crapware installed. However, United Internet still maintains it's position that they do not want users who visit their sites to use ad blockers and said they will develop other anti-blocking methods in the future (German source).
Thanks for the link, it basically boils down to your answer and goes on to explain that this campaign is not surprising after the announcement of suing Eyeo due to their "Accepable Adds" feature (link in German, too) - apparently the FUD is based on a Chrome incident
Who do you trust more? ABP (which is under constant scrutiny and would be steam rolled if it replaced mybank.com with something else) or Some Random German Company? COULD an addon be used for `Evil Purposes`? Of course... but without proof it's just blind accusations and FUD.
@WernerCD GMX is a major email provider, one of the top non-gmail providers. It's not "some random German company". And, of all the countries, a *German* company is the one you decide to mistrust?
@Superbest GMX and other German e-mail providers also run the "E-Mail made in Germany" campaign where they mislead customers into thinking that mails send over their mail servers are safe from surveillance.
@Superbest Well... if it isn't an American Companies, then it is some other random company. .. ... I jest I jest. But seriously, I would say the same for most companies - and would say the same if Comcast or Google told me to stop using ABP. You have to raise an eyebrow when a company that profits off of advertisements tells you to stop using an ad blocker.
It's really kind of dishonest to say that there's ***no*** risk. However, the risks are small enough that I do agree that this is nothing more than a FUD campaign.
The company behind AdblockPlus (Eyeo) is quite dubious , so warning users in general could be reasonable. Nevertheless, addons like Adblock Edge  that use (as far as I know) only open source Code based on the original Ablock seem to be more safe. So by looking at the design of the warning message, I also agree that this is mainly a perky FUD campaign intended to increase their ad revenues again.  http://www.mobilegeeks.de/adblock-plus-adblockgate-eyo-gmbh/  https://addons.mozilla.org/de/firefox/addon/adblock-edge/
@Superbest "_It's not "some random German company"._" But ADB is known worldwide (like Google). A scandal involving ADB would be great news for the world.
A FUD campaign of this magnitude may be "unusual", but sites saying anything and everything they can to get their ads displayed is hardly a recent phenomenon. Some small, independent sites detect adblocking, and politely request that you disable it on their site because they rely on ad revenue. And then there are major corporate sites like www.denverbroncos.com, which displays a banner claiming "We noticed that you may have an Ad Blocker turned on. Please be aware that our site is best experienced with Ad Blockers turned off." without ever justifying that dubious claim. "Best" for WHOM?