uBlock Origin Legacy (uBO) security concerns Topic is solved

[back2themoon]

Back in late 2021, some security concerns about uBO were made public. Tests were made on the non-Legacy version. Looks like if you get to install a malicious/hijacked/modified filterlist, bad things can happen.

https://portswigger.net/research/ublock ... s-with-css

They were dealt with in version 1.39.0:

https://github.com/gorhill/uBlock/releases/tag/1.39.0

https://github.com/uBlockOrigin/uBlock- ... ssues/1794
https://github.com/uBlockOrigin/uBlock- ... ssues/1797
https://github.com/uBlockOrigin/uBlock- ... ssues/1806
https://github.com/uBlockOrigin/uBlock- ... ssues/1811

Not entirely sure, but I think these patches were not applied in the Legacy versions we later got? Couldn't find something related here:

https://github.com/gorhill/uBlock-for-f ... ts/master/
https://github.com/UCyborg/uBlock-for-f ... y/releases
https://msfn.org/board/topic/183923-ext ... nt-1258602

I also don't know if these issues are actually relevant to the Legacy version. It'd be good to at least know. Does anyone know?

edit: added issue 1794 to the list above

[jobbautista9]

Can confirm both proofs of concept being reproducible here in 1.16.6b1, with the latter modified to this:

Code: Select all

##input,input/*
##input[x="*/{}*{background:url(https://hackvertor.co.uk/logos/logo-small.png)}"]

To reproduce, add that to your filters and visit a website like https://portswigger-labs.net/

[back2themoon]

Thanks for confirming, jobbautista9.

Hopefully, these patches are relatively easy to port (non-XUL version development was still close to last-released Legacy at that point) and even more hopefully UCyborg, AstroSkipper or somebody else might be able to do it. Wish I could.

[back2themoon]

Tried hinting at gorhill on GitHub for some help, but it didn't go down very well.

Oh well, we are on our own in this case. As the for security concerns, I guess using reputable filterlists, not adding anything under the sun, and practicing responsible web browsing should be enough.

Security software with good web protection (e.g. ESET) which doesn't rely on browser extensions and can thus protect Pale Moon too, wouldn't hurt either.

To be honest, I was a bit surprised the security concern had zero impact on the extension's own creator. He must really hate this version.

[frostknight]

To be honest, I was a bit surprised the security concern had zero impact on the extension's own creator. He must really hate this version.

I don't see why he cannot just have someone temporarily takeover justoff's role on ublock origin legacy.

[moonbat]

I don't see why he cannot just have someone temporarily takeover justoff's role on ublock origin legacy.

UCyborg already forked it (the link on the addons site now directs to his version) so that's a better place to start.

[back2themoon]

Wait... did UCyborg just apply the patches? Class act!

Thank you.

https://github.com/UCyborg/uBlock-for-f ... g/1.16.6.0

[jobbautista9]

Nice! Can confirm that I can no longer reproduce the bug with both proofs of concept. Thanks UCyborg!

[BenFenner]

[gepus]

Thanks!

[moonbat]

Great work, thanks!

[UCyborg]

It took a while, but it was doable as that part wasn't much different, despite 1.39 version being much newer and number of things already being rewritten to look nicer to read, using newer JS syntax etc. Assuming I didn't break anything since cosmetic filters still seem functional.

[jobbautista9]

Tried hinting at gorhill on GitHub for some help, but it didn't go down very well.

Saw the issue you opened in the original legacy repo, and gorhill's response seems to suggest to me that UCyborg needs to rebrand and change the name of his fork of uBlock Origin...

[sinfulosd]

Tried hinting at gorhill on GitHub for some help, but it didn't go down very well.

Saw the issue you opened in the original legacy repo, and gorhill's response seems to suggest to me that UCyborg needs to rebrand and change the name of his fork of uBlock Origin...

Off-topic:
It's really sad that Gorhill abandonded uBlock origin for XUL, and as far as I can see, he has absolutely no plans to ever support uBlock for Pale Moon (Or any UXP-based broswer, for that matter). So much that he would rather develop a gimped version of uBlock origin for MV3 instead of retaining the original extension functionality on a different platform that gives him the power to continuously do so. I know it is supposed to be a personal project of his, and it's only him that says how this project will go, but jeez, since it's a personal project and he is not doing it for any type of monetization, wouldn't he care about how far he could take his extension in the usability and how effective it is, instead of how much it is being used, throughout the mainstream web browsers?!

[back2themoon]

Here's a suggestion for a new name: uBlock Origin Maxima

(just a thought ) - don't know if a complete name change is needed though.

[moonbat]

Maybe drop all references to uBlock to avoid future copyright trouble - though this would need a new icon as well. The one line description of the extension in install.rdf could state that it is a uBO fork so it's immediately obvious when searching on the addons site.

[BenFenner]

avoid future copyright trouble

trademark ≠copyright


It could be just me, but I took the "change the name" comment as suggestive, not declarative*, and in relating to the project name since "firrfox" is in the name of the project and it clearly doesn't support Firefox anymore. So just for clarity's sake, change the project name.

*Seems strange to make this strong of a demand coming from someone using someone else's trademark in their own naming.

[andyprough]

ηBlock / eBlock has a nice ring to it.

[Gemmaugr]

ηBlock / eBlock has a nice ring to it.

This has my vote. Maybe add "Origin" after it, to have it appear as just a possibly typo, and since the name uBlock alone is known for being a bad version of this addon.

[Michaell]

uBlockUXP (uBu)
UCBlock (for UCyborg)
JuBlock (in honor of JustOff's contribution)
or maybe
iBlockSupreme (IBS, same as a medical condition)
iBlockSites ( " )
iBlockStuff ( " )
or for Southerners
y'allBlockEr

Or just assign a string of random characters as long as it works! (I don't think Origin should be included since Gorhill used that to distinguish his. And ηBlock / eBlock maybe should be left for Vanilla.)