eyeo Adblock Plus Origin Validation Vulnerability in Legacy Premium Activation on Chrome

A vulnerability exists in eyeo Adblock Plus versions through 4.36.2 on Chrome, specifically within the Legacy Premium Activation component. The issue arises in the postMessage function of premium.preload.js, where improper access controls allow for unauthorized activation of Premium subscriptions. This vulnerability can be exploited remotely by sending a crafted message from accounts.adblockplus.org, bypassing the payment verification process. Although the exploit has been made public, it does not grant permanent access to Premium features, as the activated trial license expires within 24 hours unless a valid subscription is confirmed.

Impact

Exploitation of this vulnerability allows any user to activate Premium features without payment, bypassing the subscription model entirely. This could lead to significant financial losses for eyeo GmbH, given the scale of their user base.

Reproduction

To reproduce this vulnerability, install the Adblock Plus extension for Chrome and navigate to 'https://accounts.adblockplus.org'. Open the browser's Developer Tools console and execute a crafted postMessage event simulating a payment success, including a userId. The extension will accept this message without proper origin validation, activating Premium features. This exploitation can be completed in approximately 30 seconds.

Remediation

Users are advised to update to the latest version of Adblock Plus, as this vulnerability has been patched. The vulnerability exists in versions through 4.36.2, and the latest version can be downloaded from the Chrome Web Store.