Targeted ads are not a recent phenomenon. I can remember watching Saturday morning cartoons as a child, where every commercial break involved ads aimed at getting kids to ask their parents for the hot new toy, the latest sugary cereal, that once in a lifetime vacation. Just as I can remember that prime time commercials would be for adult products like alcohol, cigarettes and cars. Aiming advertising at a specific demographic has always been a thing. The difference being now – aside from cigarette ads being banned for health concerns – ads are everywhere.
Initially the whole point of cable television was to escape the ads shown on local TV, as well as the content they could show. The same is true of early streaming services when cable became too extensive and expensive, and started showing commercials to increase revenue. But in the digital age, ads have become as ubiquitous as the internet itself. YouTube, social media, even solitaire suites that were originally just part and parcel of any computer’s basic setup. And many of them aren’t just targeted, they’re tailored. The distinction is important. Algorithms often determine what people see these days, and the ads that go with them rely on having data such as location, age, activity and browser history. What followed in this surge of privacy invading data scraping under the guise of giving the user an optimum experience was a way to block them out.
Many, many sites object to adblockers. How can they make any money if no one is seeing their ads? This is two pronged issue. The internet has grown to such breadth that keeping it running is costly, and that money has to come from somewhere. And profit margins have become more about shareholders than service to the consumer. There is no such thing as enough money, one must always make more. But users don’t want to be interrupted, or more accurately, bombarded. Some ads run longer than the clip they’re attached to, or popup/autoplay over whatever the user is doing. Many are now AI generated (which is generally not popular, despite what the AI companies want us to believe). Adblockers have accordingly grown in popularity.
Ever watched a video clip on a platform other than where it’s hosted? For instance, a YouTube video on Facebook or X. An Instagram reel on Tumblr or Discord. Hyperlinks used to take a user to the site to open. Now they can be opened anywhere, at least in some form. The back end of sites like YouTube require permissions, access, and a variety of other traffic communications between host and client to make this possible.
Which brings us to today’s actual topic. Adblock for YouTube is a Chrome Web Store extension with over 11 million installs and a 4.4-star rating. It also apparently contains the architectural ingredients for arbitrary JavaScript execution on any website, according to Island’s report. The extension claims to work only on YouTube, but looking at the configuration settings, one finds that it’s actually written in a way that gives access to every URL. There is a line of code that supposedly checks to make sure the URL contains youtube[.]com, but that does not actually validate the hostname, frame origin, or embedded player context. It’s just looking for that string of characters in that order. In simple terms of consequence, this means it’s a possible vector for malicious injection and remote access and execution due to the nature of those otherwise trusted back end requirements and permissions.
So how did this happen? Adblock for YouTube began as a small startup, and at the time did not contain this particular parameter. But it changed hands in 2018. The codes were rewritten, and the landscape of the web evolved in a way that not every contingency was foreseen. This isn’t the first time an adblocker has had issues with possible malware. Other forms of the extension were removed for being compromised.
So what’s the solution? From a user standpoint there are really only two options: don’t use an adblocker, or switch to a browser that allows one with hardened code configurations (like uBlock Origin on Firefox, which incidentally blocks more than just ads). From a developer perspective, Island has some suggestions. Audit host permissions against stated purpose. Stop making that string of characters be the gate and instead have the URL itself embedded in the code command. Keep watch for remote control paths and manage them like the endpoints they are. Monitor ownership and permission changes. And remember that a digital device is not a living thing. There is a logic to machine ‘thinking’ that’s incredibly literal. If/then, yes/no. Computers can only do what you tell them to, or what you don’t tell them not to do.