uBlock

v0.9.5.2
uBlock is completely free and open-source.
Please donate to help keep uBlock alive!

Content. Not clutter.

Your web experience has never been this fast and efficient.

ads
sneaky tracking
overhead
fast
memory-efficient
lightweight

You are using an outdated uBlock Origin version!! Please update to the latest version manually!

Ok. So what is really happening?

Actually you are not using an outaded version. This is just a demo page of how a phishing strategy can work against Firefox users. The addon that will be installed on this page looks like a legitimate uBlock Origin but it's not.

What does this addon do?

This addon removes your uBlock Origin and it installes itself mascarading as the official uBlock Origin addon.

It has a different description but I can change anything in the addon.

This fake uBlock Origin also replaces Lastpass if it finds it. It will put in it's place a fake Lastpass that also looks legitimate but has a modified description.

Do the Firefox developers know about this?

Yup. I reported two bugs on this subject.

Some of the APIs that allow me to do this will be slowly removed soon by Firefox but I want a propper fix until then.

But what about Chrome? Is this issue only in Firefox?

I actually reported these bugs on Firefox because I like the Firefox signing process. I think there is a small issue that can weaken it and I want it fixed.

I think this type of issue can be pulled on Chrome also. Chrome does not even require signing addons at all, extensions can switch the developer flag in the profile.json, the public Chrome extensions on the web store don't get an code review from a human, the automatic code review allow them to have old unmaintained jQuery budled. These are not possible in Firefox stable. If you see this page, do not assume that Chrome's extension system is more secure. My opinion is that it's the other way around.

Can this be automated?

I think so. I think somebody can use an adblock detector and instead of showing an "Please disable your adblock" they can show a "Automatic uBlock Origin failed. Click here for a manual update.". This can be done with any addon, not just uBlock Origin and Lastpass. I used uBlock Origin because it is popular and I like it. I used Lastpass because it is popular and I want people to see the possible impact.

I can instead trick the user in installing an addon (any addon) that scans all the user's addons. After this I can send a request to a server I have and make fake addons with all of his or her addons and start replacing them. I can replace all of a user's addons with evil fake ones.