Does adblock plus do more than block ads?
Introduction: Decided to build a chrome plugin for my girlfriend and found out any plugin can track your entire web browsing activity
My girlfriend has been selling a lot of stuff on the hit new shopping app called poshmark. She asked if I could “build a thing, that like pulls out hot purses and stuff that’s selling well?” and this led me down a rabbit hole.
My girlfriend is an order of magnitude smarter than me, and I was instantly dumbfounded by how profitable of an endeavor building a poshmark chrome extension could become if done quickly.
I made some grilled cheeses from a recipe app I’m consulting on called “Cooking to Impress Chicks” and we ate them while we planned the dev sprints.
We quickly found a solution — we decided to build out a chrome plugin with a cute bunny rabbit icon called “oh my posh!” which simply collects, categorizes and counts all the product types marked as sold in the last week on a given page shes on. Then I noticed how much page level data I had access to with a chrome extension and began thinking of AdBlockPlus.
How does adblock plus make money? — Selling ser data perhaps?
— A valuable male’s yearly data on Facebook is worth an average of $30.38 when sold to advertisers to deliver an ad
— A valuable female’s yearly data on Facebook is worth about $37.98 per user data year when sold to advertisers to deliver an ad
According to some stackoverflow research titled “is adblockplus a security risk”, it appears that adblockplus can in fact report your entire browser sessions to whomever they chose.
I decided to dig in and investigate using classic software QA techniques…
Hypotheisis : installing adblockplus as a chrome plugin will create persisitant callbacks and thus identify me across domains.
Enough #humblebragging, this is where stuff gets weird. A 2 years ago I’d worked for a giant retail company who’s site was in the works of being updated. We had a really weird “hack” occur. Our site comments, etc were protected, however I did a deep dive into our requests using a tool similar to wireshark and found some interesting things:
- We were firing multiple Google Analytics tags despite having only hardcoded one
- I was seeing requests to some really wacky domains like cd2.buckethosting.sketch
Expected Outcome : AdBlockplus tracks the hell out of you
This is when it dawned on me that one of our third party tags was in fact not only firing requests, but was even firing pixel trackers used by images in the google chrome extensions themselves. We had client side scripting attacks and didnt even know! (See CSRF tokens for advise on how to protect against this)
Using the same forensic technique I’d used to a get $1b / year super corporation unbanned from Google for having malware (I did this in oneday since they really wanted this fixed quickly) I decided to see what other interesting “user-benefit features” adblock may also have.
- Killed all browser processes on my Ubuntu desktop 14.04 machine (which has come leaps and bounds by the way)
- Opened up a fresh install of google chrome in only one window with only adblock running
- I opened and refreshed chrome netinternals
Experiment : Run one waterfall DNS report hitting medium.com without adblockplus chrome plugin then compare to waterfall DNS requests of chrome hitting medium.com with adblockplus
Step 1 — Identifiedthe normal state of a chrome browser session without exernalities
These are the requests after hitting medium.com page using a vanilla chrome browser in both incognito, and normal mode.
- looks mostly like google security stuff, and nothing out of the ordinary
- the 172.217 series appears to resolve to google in mountainview
Results — AdBlock at minimum appears to more than just block ads
- It appears adblock plus pings data to at least 10 IPs
- At least 2 of the adblock IPs had expired or no security certificates
- AdBlockPlus only triggers data requests to these IPs the first time a user hits a page
- AdBlockplus has the ability to block some ads on some sites, and let others in at will
- Medium.com uses cloudflare, and all of their IPs were secure
Would you be interested in me doing a followup to this? If so simply answer in this twitter poll and I’ll make one when the ‘yes’ answers hit 100!