uBlock Origin Legacy (uBO) security concerns Topic is solved

Add-ons for Pale Moon and other applications
General discussion, compatibility, contributed extensions, themes, plugins, and more.

Moderators: Lootyhoof, FranklinDM

User avatar
back2themoon
Moon Magic practitioner
Moon Magic practitioner
Posts: 2801
Joined: 2012-08-19, 20:32

uBlock Origin Legacy (uBO) security concerns

Unread post by back2themoon » 2025-03-16, 16:51

Back in late 2021, some security concerns about uBO were made public. Tests were made on the non-Legacy version. Looks like if you get to install a malicious/hijacked/modified filterlist, bad things can happen.

https://portswigger.net/research/ublock ... s-with-css

They were dealt with in version 1.39.0:
Not entirely sure, but I think these patches were not applied in the Legacy versions we later got? Couldn't find something related here:
I also don't know if these issues are actually relevant to the Legacy version. It'd be good to at least know. Does anyone know?

edit: added issue 1794 to the list above

User avatar
jobbautista9
Keeps coming back
Keeps coming back
Posts: 945
Joined: 2020-11-03, 06:47
Location: Philippines

Re: uBlock Origin Legacy (uBO) security concerns

Unread post by jobbautista9 » 2025-03-17, 02:08

Can confirm both proofs of concept being reproducible here in 1.16.6b1, with the latter modified to this:

Code: Select all

##input,input/*
##input[x="*/{}*{background:url(https://hackvertor.co.uk/logos/logo-small.png)}"]
To reproduce, add that to your filters and visit a website like https://portswigger-labs.net/
Image

:akko_derp:

XUL add-ons developer. You can find a list of add-ons I manage at http://rw.rs/~job/software.html.

User avatar
back2themoon
Moon Magic practitioner
Moon Magic practitioner
Posts: 2801
Joined: 2012-08-19, 20:32

Re: uBlock Origin Legacy (uBO) security concerns

Unread post by back2themoon » 2025-03-17, 10:12

Thanks for confirming, jobbautista9.

Hopefully, these patches are relatively easy to port (non-XUL version development was still close to last-released Legacy at that point) and even more hopefully UCyborg, AstroSkipper or somebody else might be able to do it. Wish I could.

User avatar
back2themoon
Moon Magic practitioner
Moon Magic practitioner
Posts: 2801
Joined: 2012-08-19, 20:32

Re: uBlock Origin Legacy (uBO) security concerns

Unread post by back2themoon » 2025-03-17, 22:50

Tried hinting at gorhill on GitHub for some help, but it didn't go down very well. :think:

Oh well, we are on our own in this case. As the for security concerns, I guess using reputable filterlists, not adding anything under the sun, and practicing responsible web browsing should be enough.

Security software with good web protection (e.g. ESET) which doesn't rely on browser extensions and can thus protect Pale Moon too, wouldn't hurt either.

To be honest, I was a bit surprised the security concern had zero impact on the extension's own creator. He must really hate this version. :?:

User avatar
frostknight
Astronaut
Astronaut
Posts: 517
Joined: 2022-08-10, 02:25

Re: uBlock Origin Legacy (uBO) security concerns

Unread post by frostknight » 2025-03-18, 05:07

back2themoon wrote:
2025-03-17, 22:50
To be honest, I was a bit surprised the security concern had zero impact on the extension's own creator. He must really hate this version. :?:
I don't see why he cannot just have someone temporarily takeover justoff's role on ublock origin legacy.
Freedom is never more than one generation away from extinction. Feelings are not facts
If you wish to be humbled, try to exalt yourself long term If you wish to be exalted, try to humble yourself long term
Favourite operating systems: Hyperbola Devuan OpenBSD
Say NO to Fascism and Corporatism as much as possible!
Also, Peace Be With us All!

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 5517
Joined: 2015-12-09, 15:45

Re: uBlock Origin Legacy (uBO) security concerns

Unread post by moonbat » 2025-03-18, 07:25

frostknight wrote:
2025-03-18, 05:07
I don't see why he cannot just have someone temporarily takeover justoff's role on ublock origin legacy.
UCyborg already forked it (the link on the addons site now directs to his version) so that's a better place to start.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
KDE Neon on a Slimbook Excalibur (Ryzen 7 8845HS, 64 GB RAM)
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

User avatar
back2themoon
Moon Magic practitioner
Moon Magic practitioner
Posts: 2801
Joined: 2012-08-19, 20:32

Re: uBlock Origin Legacy (uBO) security concerns

Unread post by back2themoon » 2025-03-18, 07:44

Wait... did UCyborg just apply the patches? Class act!

Thank you.

https://github.com/UCyborg/uBlock-for-f ... g/1.16.6.0

User avatar
jobbautista9
Keeps coming back
Keeps coming back
Posts: 945
Joined: 2020-11-03, 06:47
Location: Philippines

Re: uBlock Origin Legacy (uBO) security concerns

Unread post by jobbautista9 » 2025-03-18, 09:53

Nice! Can confirm that I can no longer reproduce the bug with both proofs of concept. Thanks UCyborg! :thumbup:
Image

:akko_derp:

XUL add-ons developer. You can find a list of add-ons I manage at http://rw.rs/~job/software.html.

BenFenner
Keeps coming back
Keeps coming back
Posts: 814
Joined: 2015-06-01, 12:52
Location: US Southeast

Re: uBlock Origin Legacy (uBO) security concerns

Unread post by BenFenner » 2025-03-18, 12:19

:thumbup:

User avatar
gepus
Board Warrior
Board Warrior
Posts: 1005
Joined: 2017-12-14, 12:59

Re: uBlock Origin Legacy (uBO) security concerns

Unread post by gepus » 2025-03-18, 14:37

Thanks! :thumbup:

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 5517
Joined: 2015-12-09, 15:45

Re: uBlock Origin Legacy (uBO) security concerns

Unread post by moonbat » 2025-03-19, 00:19

Great work, thanks! :clap:
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
KDE Neon on a Slimbook Excalibur (Ryzen 7 8845HS, 64 GB RAM)
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

User avatar
UCyborg
Lunatic
Lunatic
Posts: 332
Joined: 2019-01-10, 09:37
Location: Slovenia

Re: uBlock Origin Legacy (uBO) security concerns

Unread post by UCyborg » 2025-03-19, 11:37

It took a while, but it was doable as that part wasn't much different, despite 1.39 version being much newer and number of things already being rewritten to look nicer to read, using newer JS syntax etc. Assuming I didn't break anything since cosmetic filters still seem functional. :P

User avatar
jobbautista9
Keeps coming back
Keeps coming back
Posts: 945
Joined: 2020-11-03, 06:47
Location: Philippines

Re: uBlock Origin Legacy (uBO) security concerns

Unread post by jobbautista9 » 2025-03-20, 04:24

back2themoon wrote:
2025-03-17, 22:50
Tried hinting at gorhill on GitHub for some help, but it didn't go down very well. :think:
Saw the issue you opened in the original legacy repo, and gorhill's response seems to suggest to me that UCyborg needs to rebrand and change the name of his fork of uBlock Origin... :think:
Image

:akko_derp:

XUL add-ons developer. You can find a list of add-ons I manage at http://rw.rs/~job/software.html.

User avatar
sinfulosd
Hobby Astronomer
Hobby Astronomer
Posts: 27
Joined: 2022-07-13, 03:01

Re: uBlock Origin Legacy (uBO) security concerns

Unread post by sinfulosd » 2025-03-20, 22:31

jobbautista9 wrote:
2025-03-20, 04:24
back2themoon wrote:
2025-03-17, 22:50
Tried hinting at gorhill on GitHub for some help, but it didn't go down very well. :think:
Saw the issue you opened in the original legacy repo, and gorhill's response seems to suggest to me that UCyborg needs to rebrand and change the name of his fork of uBlock Origin... :think:
Off-topic:
It's really sad that Gorhill abandonded uBlock origin for XUL, and as far as I can see, he has absolutely no plans to ever support uBlock for Pale Moon (Or any UXP-based broswer, for that matter). So much that he would rather develop a gimped version of uBlock origin for MV3 instead of retaining the original extension functionality on a different platform that gives him the power to continuously do so. I know it is supposed to be a personal project of his, and it's only him that says how this project will go, but jeez, since it's a personal project and he is not doing it for any type of monetization, wouldn't he care about how far he could take his extension in the usability and how effective it is, instead of how much it is being used, throughout the mainstream web browsers?!
Win7 Ultimate SP1 64-bit
Pale Moon 33.6.1, Firefox 115.21.0esr, Supermium Version 132.0

User avatar
back2themoon
Moon Magic practitioner
Moon Magic practitioner
Posts: 2801
Joined: 2012-08-19, 20:32

Re: uBlock Origin Legacy (uBO) security concerns

Unread post by back2themoon » 2025-03-20, 22:37

Here's a suggestion for a new name: uBlock Origin Maxima

(just a thought ;) ) - don't know if a complete name change is needed though.

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 5517
Joined: 2015-12-09, 15:45

Re: uBlock Origin Legacy (uBO) security concerns

Unread post by moonbat » 2025-03-20, 22:49

Maybe drop all references to uBlock to avoid future copyright trouble - though this would need a new icon as well. The one line description of the extension in install.rdf could state that it is a uBO fork so it's immediately obvious when searching on the addons site.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
KDE Neon on a Slimbook Excalibur (Ryzen 7 8845HS, 64 GB RAM)
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

BenFenner
Keeps coming back
Keeps coming back
Posts: 814
Joined: 2015-06-01, 12:52
Location: US Southeast

Re: uBlock Origin Legacy (uBO) security concerns

Unread post by BenFenner » 2025-03-21, 00:23

moonbat wrote:
2025-03-20, 22:49
avoid future copyright trouble
trademark ≠copyright


It could be just me, but I took the "change the name" comment as suggestive, not declarative*, and in relating to the project name since "firrfox" is in the name of the project and it clearly doesn't support Firefox anymore. So just for clarity's sake, change the project name.

*Seems strange to make this strong of a demand coming from someone using someone else's trademark in their own naming.

User avatar
andyprough
Board Warrior
Board Warrior
Posts: 1060
Joined: 2020-05-31, 04:33

Re: uBlock Origin Legacy (uBO) security concerns

Unread post by andyprough » 2025-03-21, 01:26

ηBlock / eBlock has a nice ring to it.

User avatar
Gemmaugr
Moon lover
Moon lover
Posts: 85
Joined: 2025-02-03, 07:55

Re: uBlock Origin Legacy (uBO) security concerns

Unread post by Gemmaugr » 2025-03-21, 01:47

andyprough wrote:
2025-03-21, 01:26
ηBlock / eBlock has a nice ring to it.
This has my vote. Maybe add "Origin" after it, to have it appear as just a possibly typo, and since the name uBlock alone is known for being a bad version of this addon.

Michaell
Lunatic
Lunatic
Posts: 329
Joined: 2018-05-26, 18:13

Re: uBlock Origin Legacy (uBO) security concerns

Unread post by Michaell » 2025-03-21, 02:37

uBlockUXP (uBu)
UCBlock (for UCyborg)
JuBlock (in honor of JustOff's contribution)
or maybe
iBlockSupreme (IBS, same as a medical condition)
iBlockSites ( " )
iBlockStuff ( " )
or for Southerners
y'allBlockEr

Or just assign a string of random characters as long as it works! (I don't think Origin should be included since Gorhill used that to distinguish his. And ηBlock / eBlock maybe should be left for Vanilla.)
Win10home(1709), PM33.7.0-portable as of Apr 8, '25