POC: Bypassing Adblock Plus or Similar Image Blockers

[GµårÐïåñ]

As promised, here is the POC that I had been holding on to until it got leaked by one of my students and I finally got around to posting a clean copy of it on my blog, so if you want to check it out, go for it. The concept is so simple, makes you wonder what else HTML/CSS can do? But, although nothing earth shattering, just another way to bypass ads from being blocked, if the source is determined it could have implications that those pesky ads, we can't block them anymore. Image if a giant like Google decided to go this route?

This is a very benign and simple example, but creating ANY image/dimension using image plotting tools will be very easy. I did this using a simple loop heuristic, but that can easily be adapted into a program that can take any ad image, pixel it like this and totally bypass all filtering. Furthermore, you can embed the URL of the ad into the style element as well (which I did not do in this example) so to make it clickable too; now image the horror

Anyway, enough said - Have fun: Use HTML/CSS to Defeat Adblock Plus and Similar

[Tom T.]

The POC is easily defeated by View > Page Style > No Style. which in effect disables CSS, as you said at the POC site.

This is not unusual for me. When sites go way too far on the graphics, purple-and-pink-checked b/g, not enough contrast between text and b/g, etc., I use the above on such sites. Becomes like the old days, black text on white b/g, blue links. Navigates a little more strangely, but gets rid of whatever it is that is so annoying.

So yes, there is a way to prevent such things built right into Fx, although you're right, ABP won't do it. If you want something done completely ....

[dhouwn]

The POC is easily defeated by View > Page Style > No Style. which in effect disables CSS, as you said at the POC site.

Unless you recreate this 90s-styles using tables and the bgcolor attribute.
I believe The GIMP used to had a export feature for converting images into the "HTML format" which would create "images" in exactly such a format. I didn't quite understood what this was for, especially considering that (at this time modern) Netscape 4 crashed immediately when viewing documents created from images larger than a 16x16 icons this way.

[Tom T.]

The POC is easily defeated by View > Page Style > No Style. which in effect disables CSS, as you said at the POC site.

Unless you recreate this 90s-styles using tables and the bgcolor attribute. .

Guardian's POC, *as written*, was defeated. If you have another POC to post, that's another issue.

[dhouwn]

Guardian's POC, *as written*, was defeated. If you have another POC to post, that's another issue.

There you go: http://dl.dropbox.com/u/2130149/smiley.html
But apparently I was wrong in assuming that setting "page style" to "no style" does only mean that styling using CSS is deactivated, so using this method such an ad could still be "defeated" in Firefox but not IE (where turning off page styling it apparently works like I expected it).

[Tom T.]

Guardian's POC, *as written*, was defeated. If you have another POC to post, that's another issue.

There you go: http://dl.dropbox.com/u/2130149/smiley.html
But apparently I was wrong in assuming that setting "page style" to "no style" does only mean that styling using CSS is deactivated, so using this method such an ad could still be "defeated" in Firefox

Indeed.

but not IE (where turning off page styling it apparently works like I expected it).

Who uses IE?

[GµårÐïåñ]

Guardian's POC, *as written*, was defeated. If you have another POC to post, that's another issue.

There you go: http://dl.dropbox.com/u/2130149/smiley.html
But apparently I was wrong in assuming that setting "page style" to "no style" does only mean that styling using CSS is deactivated, so using this method such an ad could still be "defeated" in Firefox but not IE (where turning off page styling it apparently works like I expected it).

You are using TABLE elements which is just fine and valid, but less "transparent" and also NO ONE makes ads THAT big to cover the WHOLE page, so it would reasonably be smaller but just the same your huge ass smiley loaded just fine and didn't crash anything, so still could work. Also given ABP is a Fx addon, the point was moot on IE or anything else but as Tom already pointed out, you could also disable the same CSS/styling functionality in Fx too, just like IE.

[tlu]

So yes, there is a way to prevent such things built right into Fx, although you're right, ABP won't do it.

I managed to do it with ABP by pressing Ctrl-Shift+I and creating the rule

majormike.us##SPAN[style="position: absolute; top: 200px; left: 50px;"]

It's not blocked, though, only hidden.

[GµårÐïåñ]

Anything using a CSS tag can be "hidden" that's not the same as blocking them and given the method by which they are done, it can cause conflict with main content if the ad uses tags that match the page they are embedded into rather than doing what I did and make them unique. If I had not made them unique for the sake of the POC, it would cause you to block any legitimate SPAN item on the page fitting the dimensions too. Giving them class/id information makes it easier but they can be removed and it would make it harder. Of course, still even if you manged, you are hiding, not blocking it, which might be good enough for some, but then calling it AdBLOCK would be a bit of a misnomer.

[Tom T.]

It's not blocked, though, only hidden.

One of the advantages of actual blocking, as with NS, is saving the bandwidth, d/l time, CPU and RAM, etc.