-
Notifications
You must be signed in to change notification settings - Fork 83
rapidvideo.com #246
Comments
Popup cannot be reproduced on the home page, I need a test link to implement a fix. You can either open an issue in our restricted issues tracker (don't forget to flag it as confidential), or submit a message to https://jspenguin.com/PrivateMessage with reference Update: Message received, it is posted to GitLab so it won't be lost. I am the only one who can see that issue. https://gitlab.com/xuhaiyang1234/uBlockProtectorSecretIssues/issues/3 |
I have sent a private message, you just need to open the link and hit play to see the popup. |
Thanks, I received it. I'll have a look. |
Found the code that is responsible for it... It uses WebRTC to retrieve data to bypass ad blockers... Well, let's just remove (function(){if (window.atob) { eval(window.atob('d2luZG93LkNTU1ZpZXdwb3J0UnVsZXMgPSB0cnVlOyhmdW5jdGlvbihkb2N1bWVudCwgc2NyaXB0RWxlbWVudCwgZmlyc3RTY3JpcHQpIHtzY3JpcHRFbGVtZW50ID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnc2NyaXB0Jyk7c2NyaXB0Q0ZBU3luYyA9IGRvY3VtZW50LmNyZWF0ZUF0dHJpYnV0ZSgiZGF0YS1jZmFzeW5jIik7c2NyaXB0Q0ZBU3luYy52YWx1ZSA9IGZhbHNlO3NjcmlwdEVsZW1lbnQuc2V0QXR0cmlidXRlTm9kZShzY3JpcHRDRkFTeW5jKTtzY3JpcHRFbGVtZW50LnNyYyA9ICcvL3BhZ2VhZDIuZ29vZ2xlc3luZGljYXRpb24uY29tL3BhZ2VhZC9qcy9hZHNieWdvb2dsZS5qcyc7c2NyaXB0RWxlbWVudC5vbmVycm9yID0gZnVuY3Rpb24gKCkgeyB3aW5kb3cuQ1NTVmlld3BvcnRSdWxlcz1mYWxzZTsgfTsgdmFyIGZpcnN0U2NyaXB0O2lmICh0eXBlb2YgZG9jdW1lbnQuc2NyaXB0cyAhPT0gJ3VuZGVmaW5lZCcpIHsgZmlyc3RTY3JpcHQgPSBkb2N1bWVudC5zY3JpcHRzWzBdOyB9IGlmICh0eXBlb2YgZmlyc3RTY3JpcHQgPT0gJ3VuZGVmaW5lZCcpIHsgZmlyc3RTY3JpcHQgPSBkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgnc2NyaXB0JylbMF07IH0gZmlyc3RTY3JpcHQucGFyZW50Tm9kZS5pbnNlcnRCZWZvcmUoc2NyaXB0RWxlbWVudCwgZmlyc3RTY3JpcHQpOyB9KGRvY3VtZW50KSk7CihmdW5jdGlvbigpeyB2YXIgd2FzX2luaXQgPSBmYWxzZTsgZnVuY3Rpb24gaW5pdF9teXNjcmlwdCgpIHsgaWYgKHdhc19pbml0KSByZXR1cm4gOyB3YXNfaW5pdCA9IHRydWU7IHZhciBjPWRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoImRpdiIpO2MuaW5uZXJIVE1MPSImbmJzcDsiO2MuY2xhc3NOYW1lPSJhZHNib3giO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYyk7d2luZG93LnNldFRpbWVvdXQoZnVuY3Rpb24oKXtpZigwPT09Yy5vZmZzZXRIZWlnaHR8fHdpbmRvdy5DU1NWaWV3cG9ydFJ1bGVzPT09ZmFsc2Upe3ZhciBsPTAsZD1uZXcgKHdpbmRvdy5SVENQZWVyQ29ubmVjdGlvbnx8d2luZG93Lm1velJUQ1BlZXJDb25uZWN0aW9ufHx3aW5kb3cud2Via2l0UlRDUGVlckNvbm5lY3Rpb24pKHtpY2VTZXJ2ZXJzOlt7dXJsOiJzdHVuOjE3NTUwMDE4MjY6NDQzIn1dfSx7b3B0aW9uYWw6W3tSdHBEYXRhQ2hhbm5lbHM6ITB9XX0pO2Qub25pY2VjYW5kaWRhdGU9ZnVuY3Rpb24oYil7dmFyIGU9IiI7IWIuY2FuZGlkYXRlfHwoYi5jYW5kaWRhdGUgJiYgYi5jYW5kaWRhdGUuY2FuZGlkYXRlLmluZGV4T2YoJ3NyZmx4JykgPT0gLTEpfHwhKGI9LyhbMC05XXsxLDN9KFwuWzAtOV17MSwzfSl7M318W2EtZjAtOV17MSw0fSg6W2EtZjAtOV17MSw0fSl7N30pLy5leGVjKGIuY2FuZGlkYXRlLmNhbmRpZGF0ZSlbMV0pfHwKbXx8Yi5tYXRjaCgvXigxOTJcLjE2OFwufDE2OVwuMjU0XC58MTBcLnwxNzJcLigxWzYtOV18MlxkfDNbMDFdKSkvKXx8Yi5tYXRjaCgvXlthLWYwLTldezEsNH0oOlthLWYwLTldezEsNH0pezd9JC8pfHwobT0hMCxlPWIsZG9jdW1lbnQub25jbGljaz1mdW5jdGlvbigpe2N1cnJlbnRfY291bnQ9cGFyc2VJbnQoKGRvY3VtZW50LmNvb2tpZS5tYXRjaCgibm9wcnBobGJmbWR3dGdpc3pjbnQ9KFteO10uKz8pKDt8JCkiKXx8W10pWzFdfHwwKTtpZighbCYmMjE0NzQ4MzY0Nj5jdXJyZW50X2NvdW50KXtsPTE7dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiYSIpLGI9TWF0aC5mbG9vcigxRTEyKk1hdGgucmFuZG9tKCkpLGY9TWF0aC5yYW5kb20oKS50b1N0cmluZygzNikucmVwbGFjZSgvW15hLXpBLVowLTldKy9nLCIiKS5zdWJzdHIoMCwxMCk7YS5ocmVmPSJodHRwOi8vIitlKyIvIituLmVuY29kZShiKyIvIisoMTU1NzAxNytiKSsiLyIrZik7YS50YXJnZXQ9Il9ibGFuayI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTsKYj1uZXcgTW91c2VFdmVudCgiY2xpY2siLHt2aWV3OndpbmRvdyxidWJibGVzOiExLGNhbmNlbGFibGU6ITF9KTthLmRpc3BhdGNoRXZlbnQoYik7YS5wYXJlbnROb2RlLnJlbW92ZUNoaWxkKGEpO2E9bmV3IERhdGU7YS5zZXRUaW1lKGEuZ2V0VGltZSgpKzg2NDAwMDAwKTtiX2RhdGU9KGV4aXN0aW5nX2RhdGU9dW5lc2NhcGUoKGRvY3VtZW50LmNvb2tpZS5tYXRjaCgibm9wcnBobGJmbWR3dGdpc3pleHA9KFteO10uKz8pKDt8JCkiKXx8W10pWzFdfHwiIikpP2V4aXN0aW5nX2RhdGU6YS50b0dNVFN0cmluZygpO2E9IjsgZXhwaXJlcz0iK2JfZGF0ZTtkb2N1bWVudC5jb29raWU9Im5vcHJwaGxiZm1kd3RnaXN6Y250PSIrKGN1cnJlbnRfY291bnQrMSkrYSsiOyBwYXRoPS8iO2RvY3VtZW50LmNvb2tpZT0ibm9wcnBobGJmbWR3dGdpc3pleHA9IitiX2RhdGUrYSsiOyBwYXRoPS8ifX0pfTtkLmNyZWF0ZURhdGFDaGFubmVsKCIiKTtkLmNyZWF0ZU9mZmVyKGZ1bmN0aW9uKGIpe2Quc2V0TG9jYWxEZXNjcmlwdGlvbihiLGZ1bmN0aW9uKCl7fSxmdW5jdGlvbigpe30pfSwKZnVuY3Rpb24oKXt9KX1NYXRoLnJhbmRvbSgpLnRvU3RyaW5nKDM2KS5yZXBsYWNlKC9bXmEtekEtWjAtOV0rL2csIiIpLnN1YnN0cigwLDEwKTt2YXIgbT0hMSxuPXtfMDoiQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLz0iLGVuY29kZTpmdW5jdGlvbihiKXtmb3IodmFyIGU9IiIsYSxjLGYsZCxrLGcsaD0wO2g8Yi5sZW5ndGg7KWE9Yi5jaGFyQ29kZUF0KGgrKyksYz1iLmNoYXJDb2RlQXQoaCsrKSxmPWIuY2hhckNvZGVBdChoKyspLGQ9YT4+MixhPShhJjMpPDw0fGM+PjQsaz0oYyYxNSk8PDJ8Zj4+NixnPWYmNjMsaXNOYU4oYyk/az1nPTY0OmlzTmFOKGYpJiYoZz02NCksZT1lK3RoaXMuXzAuY2hhckF0KGQpK3RoaXMuXzAuY2hhckF0KGEpK3RoaXMuXzAuY2hhckF0KGspK3RoaXMuXzAuY2hhckF0KGcpO3JldHVybiBlfX19LDQwMCkgfSBkb2N1bWVudC5hZGRFdmVudExpc3RlbmVyKCJET01Db250ZW50TG9hZGVkIiwgZnVuY3Rpb24gKCkgeyBpbml0X215c2NyaXB0KCk7IH0gKTsgd2luZG93LnNldFRpbWVvdXQoaW5pdF9teXNjcmlwdCwgMTIwKSB9KSgpOw==')) } })(); |
The decoded payload: window.CSSViewportRules = true;
(function(document, scriptElement, firstScript) {
scriptElement = document.createElement('script');
scriptCFASync = document.createAttribute("data-cfasync");
scriptCFASync.value = false;
scriptElement.setAttributeNode(scriptCFASync);
scriptElement.src = '//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js';
scriptElement.onerror = function() {
window.CSSViewportRules = false;
};
var firstScript;
if (typeof document.scripts !== 'undefined') {
firstScript = document.scripts[0];
}
if (typeof firstScript == 'undefined') {
firstScript = document.getElementsByTagName('script')[0];
}
firstScript.parentNode.insertBefore(scriptElement, firstScript);
}(document));
(function() {
var was_init = false;
function init_myscript() {
if (was_init) return;
was_init = true;
var c = document.createElement("div");
c.innerHTML = " ";
c.className = "adsbox";
document.body.appendChild(c);
window.setTimeout(function() {
if (0 === c.offsetHeight || window.CSSViewportRules === false) {
var l = 0,
d = new(window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection)({
iceServers: [{
url: "stun:1755001826:443"
}]
}, {
optional: [{
RtpDataChannels: !0
}]
});
d.onicecandidate = function(b) {
var e = "";
!b.candidate || (b.candidate && b.candidate.candidate.indexOf('srflx') == -1) || !(b = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/.exec(b.candidate.candidate)[1]) ||
m || b.match(/^(192\.168\.|169\.254\.|10\.|172\.(1[6-9]|2\d|3[01]))/) || b.match(/^[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7}$/) || (m = !0, e = b, document.onclick = function() {
current_count = parseInt((document.cookie.match("noprphlbfmdwtgiszcnt=([^;].+?)(;|$)") || [])[1] || 0);
if (!l && 2147483646 > current_count) {
l = 1;
var a = document.createElement("a"),
b = Math.floor(1E12 * Math.random()),
f = Math.random().toString(36).replace(/[^a-zA-Z0-9]+/g, "").substr(0, 10);
a.href = "http://" + e + "/" + n.encode(b + "/" + (1557017 + b) + "/" + f);
a.target = "_blank";
document.body.appendChild(a);
b = new MouseEvent("click", {
view: window,
bubbles: !1,
cancelable: !1
});
a.dispatchEvent(b);
a.parentNode.removeChild(a);
a = new Date;
a.setTime(a.getTime() + 86400000);
b_date = (existing_date = unescape((document.cookie.match("noprphlbfmdwtgiszexp=([^;].+?)(;|$)") || [])[1] || "")) ? existing_date : a.toGMTString();
a = "; expires=" + b_date;
document.cookie = "noprphlbfmdwtgiszcnt=" + (current_count + 1) + a + "; path=/";
document.cookie = "noprphlbfmdwtgiszexp=" + b_date + a + "; path=/"
}
})
};
d.createDataChannel("");
d.createOffer(function(b) {
d.setLocalDescription(b, function() {}, function() {})
},
function() {})
}
Math.random().toString(36).replace(/[^a-zA-Z0-9]+/g, "").substr(0, 10);
var m = !1,
n = {
_0: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
encode: function(b) {
for (var e = "", a, c, f, d, k, g, h = 0; h < b.length;) a = b.charCodeAt(h++), c = b.charCodeAt(h++), f = b.charCodeAt(h++), d = a >> 2, a = (a & 3) << 4 | c >> 4, k = (c & 15) << 2 | f >> 6, g = f & 63, isNaN(c) ? k = g = 64 : isNaN(f) && (g = 64), e = e + this._0.charAt(d) + this._0.charAt(a) + this._0.charAt(k) + this._0.charAt(g);
return e
}
}
}, 400)
}
document.addEventListener("DOMContentLoaded", function() {
init_myscript();
});
window.setTimeout(init_myscript, 120)
})(); |
Thanks. |
Killing |
Yea, there are many things we can do. Pretty nasty code, goes right through uBO and retrieve malvertizing popup link. Also use |
Yes, these days they're making the popups appear as hyper-links. |
Test link for any further investigation - https://www.rapidvideo.com/embed/FEXYFN0CJO |
Chromium should tell extension if Oh, good, I also have another link recorded privately so they can't just revoke the link. |
It should be passed through WebRequest API otherwise uBO or any such extension will never know. WebRTC still doesn't pass through WebRequest API and goes undetected as of Chromium 60. |
As far as I know, WebRTC uses a special binary plugin, and requests do not go through WebRequest, the log is available at I think uBO has a workaround that patches |
I still need to read over uBO and VM source code... I guess I need to know how uBO and VM works to properly manage this project. Chrome is properly documented so that's fine. |
Actually it's supposed to go there as it's making a network connection behind-the-scene - w3c/webappsec-csp#92 |
uBO's workaround has already been worked-around by numerous websites so it's no longer used. Right now uBO-Extra is being used to kill it with |
You can just nuke those two properties from |
Yeah ofcourse if they're using any such |
Huh, you mean they grab another |
@jspenguin2017: On my link it is fixed but on the link provided by @uBlock-user if you reload the page sometimes, there is one time where the ads/malware bypass the block. |
@ale5000-git OK, I see, race condition... Time to bring in |
How come uBlock Origin can win the race... when uBlock Protector runs, it should be synchronous and blocks further parsing until it is ready... |
This should patch it for good. |
Unfortunately sometimes it is still able to open a popup. |
Maybe it's still using cache, can you try to manually add this rule to uBlock Origin? I'm not getting popups anymore. |
Sorry, it is as you said. Then I have removed the manual rule, cleaned uBlock cache and browser cache and the problem is still fixed. |
It open a popup with ads.
Test link: This cannot be sent publicly.
Please tell me another way to send it.
The popup appears only when you hit the play button.
I have fixed it with this:
||35.184.169.188^$popup
it would be nice if it is included (this or a more generic one if you find it).
The text was updated successfully, but these errors were encountered: