Megalith
24-bit/48kHz
- Joined
- Aug 20, 2006
- Messages
- 13,000
uBlock Origin has come under fire for being a little too eager in its quest to murder nasty stuff on the internet: the ad-blocking plugin is preventing browsers from sounding the alarm on hacking attacks. At the heart of the matter is a fairly new technology called content security policy reporting, or CSP reporting, which websites can use to whitelist the scripting code that's allowed to run on their pages, thus stopping attackers from injecting malicious JavaScript into browsers that hijack users' logged-in accounts.
It's supposed to kill cross-site-scripting, aka XSS, attacks, and automatically report hacking attempts back to the website's administrators. It's very handy. However, uBlock Origin is blocking browsers from sending these CSP alerts, infosec consultant Scott Helme reported on Monday in a bug report on the uBlock Origin GitHub repo. That means site developers and admins may be unaware of attempts to exploit weaknesses in their code, vulnerabilities may not be addressed, and people may end up losing control of their accounts if attacked.
It's supposed to kill cross-site-scripting, aka XSS, attacks, and automatically report hacking attempts back to the website's administrators. It's very handy. However, uBlock Origin is blocking browsers from sending these CSP alerts, infosec consultant Scott Helme reported on Monday in a bug report on the uBlock Origin GitHub repo. That means site developers and admins may be unaware of attempts to exploit weaknesses in their code, vulnerabilities may not be addressed, and people may end up losing control of their accounts if attacked.