←back to thread

Bypassing Google's big anti-adblock update

(0x44.xyz)
1036 points deryilz | 2 comments | 12 Jul 25 19:06 UTC | HN request time: 1.018s | source
Show context
krackers ◴[12 Jul 25 19:41 UTC] No.44544544[source]
>They decided it wasn't a security issue, and honestly, I agree, because it didn't give extensions access to data they didn't already have.

So they admit that MV3 isn't actually any more secure than MV2?

replies(4): >>44544732 #>>44547024 #>>44548392 #>>44548589 #
Neywiny ◴[12 Jul 25 20:07 UTC] No.44544732[source]
I'd be shocked if anyone actually believes them. This article starts with the obvious conflict of interest. Of course letting an extension know what websites you visit and what requests are made is an insecure lifestyle. But I still do it because I trust uBO more than I trust the ad companies and their data harvesters.
replies(6): >>44544764 #>>44544794 #>>44544922 #>>44546339 #>>44547722 #>>44548288 #
matheusmoreira ◴[12 Jul 25 20:12 UTC] No.44544764[source]
I believe them. The restrictions are reasonable and appropriate for nearly everyone. Extensions are untrusted code that should have as little access as possible. If restrictions can be bypassed, that's a security bug that should be fixed because it directly affects users.

I also think uBlock Origin is so important and trusted it should not only be an exception to the whole thing but should also be given even more access in order to let it block things more effectively. It shouldn't even be a mere extension to begin with, it should be literally built into the browser as a core feature. The massive conflicts of interest are the only thing that prevent that. Can't trust ad companies to mantain ad blockers.

replies(6): >>44544946 #>>44545186 #>>44545270 #>>44545513 #>>44546144 #>>44546298 #
GeekyBear ◴[12 Jul 25 21:19 UTC] No.44545270[source]
> Extensions are untrusted code that should have as little access as possible.

It's entirely possible to manually vet extension code and extension updates in the same way that Mozilla does as part of their Firefox recommended extensions program.

> Firefox is committed to helping protect you against third-party software that may inadvertently compromise your data – or worse – breach your privacy with malicious intent. Before an extension receives Recommended status, it undergoes rigorous technical review by staff security experts.

https://support.mozilla.org/en-US/kb/recommended-extensions-...

Other factors taken into consideration:

Does the extension function at an exemplary level?

Does the extension offer an exceptional user experience?

Is the extension relevant to a general, international audience?

Is the extension actively developed?

replies(1): >>44547437 #
1. xnx ◴[13 Jul 25 04:13 UTC] No.44547437[source]
> It's entirely possible to manually vet extension code and extension updates

I thought the core vulnerability of Manifest v2 is the new code can be loaded by an extension on the fly without any extension update. How would you vet that?

replies(1): >>44547983 #
2. krackers ◴[13 Jul 25 06:27 UTC] No.44547983[source]
The same way it's done with V3, because no permission-level blacklist/whitelist is going to prevent the person from creating an interpreter within JS itself.

Looking at https://developer.chrome.com/docs/webstore/troubleshooting#a... it seems most of the heavily lifting is done with some combination of static/dynamic analysis during extension review. The same analysis (plus trivially catching eval) could be done with V2 as well.