This morning, I was greeted with an announcement from the Adblock Chrome Extension stating that it had been sold to a new owner and that they were now participating in Adblock Plus’s Acceptable Ad Program.

In the message, there is a link to disable the program, although I have verified on a different machine that if you do not click that link, users will get automatically opted into the acceptable ad program with this update.

What Is Adblock’s Acceptable Ad Policy?

For those that are not familiar with it, Ad Block Plus started a program several years ago with a stated goal of promoting sites that have non-obtrusive ads by disabling Adblock on these sites. The program allows a website’s advertisements to bypass Adblock’s filters, provided it has been deemed that the ads they show are not terribly intrusive.

In some cases, although likely not all, companies are paying to be put on this list and there are some big names that are paying to bypass the filters, like Google and Microsoft.

Since money is changing hands and the list has grown from a relatively short one to one that is now over 7,000 lines long, it has drawn a lot of criticism and concern over the years. Some feel that it is contrary to the spirit of the plugin and are concerned with the implications of third-party tracking/ad networks. However, some laud it as a necessary way of encouraging ‘good’ sites and rewarding content producers.

Recently, Ad Block Plus announced that an independent board would now review the sites to provide some transparency and likely alleviate some of the criticism that this program is just a money grab that extorts users/site owners.

Plugin Sold, Updated, and Users Opted In

In the announcement from the developer of the Chrome Adblock Plugin(different from Adblock Plus) it was stated that in part due to the change to an independent review board, he was fully on-board with The Acceptable Ad Policy and was selling the plugin.

The update opts-in existing users to the program, which bypasses filters of the plugin.

The vagueness of the message, along with the opting in of this setting and no mention of who the buyer is is concerning and does not instill trust that this is a good faith transition.

He States:

Now, Adblock Plus will be transferring custodianship of Acceptable Ads to an impartial group of experts. I love this idea — in fact, it was my wife Katie‚Äôs suggestion! Due to this change, I’m happy for AdBlock to join the program. As a result, I am selling my company, and the buyer is turning on Acceptable Ads.

No one can say what they would do when offered the right amount of money for their project.

The message shown after you install his plugin has been a donation request for years, which has a picture of him and his wife and states that he(they?) quit their job to work on the plugin. As far as I know that was the only monetization and donations can be fickle, so if that really is his only job he may feel it isn’t worth his time or effort, he could be burnt out, or perhaps he just wants to move on to something else. This is, of course, conjecture, but the point is, I can see many reasons why an attractive offer would be jumped upon and can not say what I would do if I were in his shoes.

It is not clear who the new owner is yet, although it has been announced that Adblock Plus’s parent company is paying ad-blocking plugins to take part in this program, so this appears to be a way of monetizing the popular chrome plugin. For instance, Crystal(one of the first ad-blockers for IOS9) is now accepting payments to default opt-in their users to the acceptable ad program.

The Fragility of Trusting Plugins

This highlights the fragility of trusting plugins and in a big way.

It only takes a bit of money to purchase an incredibly large user-base, per their plugin page ‘over 40 million users,’ and make a significant change that is likely contrary to the reasons the end-user installed the plugin, while almost certainly offering a monetary benefit to the new owners…it wouldn’t of been bought unless someone had plans of how to monetize it.

This is something that has played out before and is often worse, as there are documented instances of malware or adware vendors buying a popular plugin and subverting it.

It is a difficult issue to address…how do you ensure that a plugin you trust isn’t going to be sell out to someone who will turn the plugin sides., Both Chrome and Firefox do take some action to keep this from occurring, but it is often caught after the fact and after damage has been done.

Thoughts on Acceptable Ads

As a content creator and someone who makes money off advertisements(there may even be some on this page that is making money off of,) I fully understand and support the end user blocking ads. In fact I encourage it and install ad blockers when fixing people’s computers to help protect them. Third-party ads can be dangerous and are a leading cause of malware infections.

Even without clicking on the ad, the network is still accumulating a ton of data that they can use/sell about your browsing habits. Networks that are very well moderated, like Googles, can show bad ads or link to sites that are dangerous. Until relatively recently, doing a search for popular open source software like VLC Media Player or Firefox would yield results on Google and Bing for third-party bundles that were not safe to install. Smaller networks are even worse and often show dangerous ads that install PC Optimizers and Tune Up Programs that hijack computers…or adware browser bars that track and inject ads while browsing.

So, I feel that browsing is much safer place without ads and getting your site whitelisted because you paid an adblocking company some money is not a good alternative.

Not to mention, there is a huge performance boost when you aren’t loading 20 random trackers and ad networks.

What About Content Creators

Whenever this is brought up, the argument is inevitably that sites/content creators are not being paid for their work. By using an advertisement blocker you are stealing from them and depriving them of a way to monetize their work. Instead, you should just not visit their site if you don’t want to be tracked/advertised to.

And this isn’t exactly wrong. It isn’t free to host a website and putting your site behind a paywall probably doesn’t work out well for people. I haven’t researched the numbers, but I would be pleasantly surprised if the New York Times or Washington post paywall is(was?) a big money maker for them. I would imagine most people just bypass it or ignore links to their site.

Some have suggested an easy way of making micro payments for accessing sites or simply ads that are targeted to the site content(rather than re-marketing) and self hosted might be a good alternative. I think it is inevitable that ad-networks will eventually evolve to bypass third-party network blocking. They are typically a leader in this sort of development.

So, this is a tricky problem and I can certainly see both sides to the issue. However, opening yourself to tracking/malware, aggressive marketing, and obtrusive adverts really shouldn’t be the solution.

With the start of IE9, browser testing got a whole lot easier. While it still has some annoying warts and limitations, it is way better than IE8 was and doesn’t even compare to the nightmare that was IE6 and before. Now with IE11+, Microsoft has stepped up their game and is more in-line with browsers like Firefox and Webkit Browsers(Chrome/Safari/Etc.)

Back a few years ago, dropping support for IE 8 gained steam, despite the fact that for people still using XP, IE8 was the latest version of Internet Explorer you could get. Google may have been the forerunner on this, as they dropped IE8 support in 2012 for their Apps, but other companies/devs were already limiting support by then as well. Since then, both due to dwindling numbers and better alternatives, many new devs don’t even test it anymore and the web simply don’t work well for those running it.

Apparently, Microsoft Devs don’t either.

While preforming a clean install of Windows 7, I decided to checkout a few pages in it and came across the Windows 10 page. The below screenshots are from the new Windows 10 Upgrade Page and as you can see, it wasn’t cross browser tested in IE8.


After turning on Compatibility Mode, I got the below. It actually worked better, although I got a script error that slowed the browser to a crawl.

IE 8 After Turning on Compatability Mode

Just to be on the safe side, I fired up my IE8 XP Virtual Machine, which has all the XP Internet Explorer Updates, as to be fair the windows 7 machine hadn’t had any updates yet. As you can see, it looks similar, just with certificate errors.

ie 8 xp

So, it seems that Microsoft doesn’t care too much about cross browser testing in Internet Explorer 8 anymore, which I suppose is good as it is another nail in the coffin. Of course, I can’t help but think that given they are the ones that spawned this demon on us, the least they could do is continue putting some man hours towards it.

Personally, while I don’t spend time making sure everything looks identical in IE8, I do at least check it and typically make the page largely readable. Does it matter? Probably not, as if you are still running Internet Explorer 8, the web is probably a horribly broken place, but basic IE8 support is something I include in most cases.

While visiting Google Maps I saw what is(at least to me) a new noscript warning. A screenshot of it is below, the message is:

When you have eliminated the JavaScript, whatever remains must be an empty page.

I got a kick out of somewhat proverbial warning. Sure beats the common “we have detected that javascript is disabled in your browser” warning that is so often used. They even came up with a graphic for it, which thanks to a commenter below, is because this is apparently play on a Sherlock Holmes quote.

Can’t argue with them about it either on Maps…you need Javascript for that. Now if it were Google groups… ;)

Google Maps no Script

Recently, an old client contacted me because emails were not being sent from their Godaddy hosted wordpress site. A quick look at the folders in their webroot made it clear that the site had been hacked and most likely the emails not working was a side-effect of godaddy noticing and blocking their email function.

After a bit of investigation, it looked like the most likely avenue was from the CherryFramework, which is a bootstrap wordpress theme/plugin framework. A bit more digging and I discovered a recently patched vulnerability in cherry-plugin/admin/import-export/upload.php

The entire contents of the vulnerable file is below:

	if(strtolower($_SERVER['REQUEST_METHOD']) != 'post'){
		exit_status('Error! Wrong HTTP method!');
		$upload_dir = isset($_REQUEST['upload_dir']) ? $_REQUEST['upload_dir'] : $upload_dir ;
		$file_name =basename($_FILES['file']['name']);
		$upload_file = $upload_dir.$file_name;
		$result = move_uploaded_file($_FILES['file']['tmp_name'], $upload_file);

As you can see from the above, which is the first version uploaded to git, the ONLY checking this file does is whether or not you are sending it some files to upload and telling it where to send it. So, it conveniently lets you upload any file to any directory on the webserver. Similarly, their download-content.php file also let you download arbitrary files from the webserver, with 0 checks in place to prevent abuse. You can see a screenshot of the github repository here.

This was fixed in later versions of CherryFramework and shows that the developer better understands wordpress now, as they not only implement a nonce and checks the logged in user’s capabilities by calling current_user_can, but also adds the code to an ajax action rather than just a malware installer like it was before.

Without casting too many stones, as no-one is perfect least of all me, I just can’t understand how something like this could get written, if not intentionally(which is entirely possible.)

Everyone makes mistakes and it is easy to miss something that can be abused…mistakes happen, get fixed, and we move on. But, something like that or SQL queries written with 0 thought to injection blow my mind.

After updating to Fedora 22, the File Chooser in Firefox XFCE, like you would see when you click ‘Open File’ or upload a file, was broken.

Specifically, while the open file dialog does open and let you select files, the quick find was not working properly. Normally, you can start typing the first letter(s) of a file name and the file browser will jump to files that start with that letter in your current folder. However, this was not working for me in Firefox and instead typing a letter did nothing. Further, the files were not grouped by folders, but rather displayed files/folders together(although this might not be a setting.)

It turns out this isn’t a bug with Firefox, but rather a problem with GTK3’s Filechooser Dialog. A bug is currently open here, so hopefully it will be addressed soon.

In Fedora 22, Firefox is compiled to use GTK3 instead of GTK2, along with Gedit and I would imagine a few other programs. So, anything using GTK3 has this bug for me.

A Temporary Solution: Since this makes using Firefox and selecting files incredibly painful, a quick fix is to uninstall Fedora’s version of Firefox and install Firefox separately(by downloading or compiling.) The version available directly from Mozilla does NOT use GTK3, so works fine. Just make sure to stay on top of updates and keep an eye out for when Fedora updates GTK3, as this will probably get fixed soon.

Hopefully, this will save someone the amount of time I spent trying to figure out why it was broken…

The GTK3 Filechooser, shown on right, does not currently work correctly in Fedora 22.

The GTK3 Filechooser, shown on right, does not currently work correctly in Fedora 22.

google switch search engine

While doing a Google search this morning, I noticed an interesting message from Google above the search results. It said, ‘Switch your default search engine to Google.’

Clicking the Learn how button takes you to a page with steps and screenshots showing how to change your default search engine in Firefox.

This is in response to a recent deal between Firefox and Yahoo, where Yahoo replaced Google as Firefox’s default search engine. According to reports the change has provided a small boost to Yahoo’s already rather small percent of the search market, with Google also loosing 1 percent during the same time.

Whether this is due to actual concerns over loosing customers or just not letting their competition have anything easy is anyone’s guess. However, this is not the only time Google has used it’s market position to attack their competition. For years, Google has been pushing Google Chrome on Firefox and Internet Explorer users.

google switch search engine

Update 03/20/2015: The following adblock element hiding rule seems to work to get rid of it:

After cleaning up a recent WordPress hack, I believe there is another Revolution Slider vulnerability making the rounds. If you are using an old version of Revoltion slider, you should update immediately or disable the plugin.

From what I can tell, it affects two Themepunch plugins, Revslider and Showbiz Pro. According to a proof-of-concept exploit posted this month, versions 3.0.95 and before of Revslider, as well as versions 1.7.1 and before of Showbiz Pro are vulnerable.

The issue allows for unauthenticated ajax calls sent /wp-admin/admin-ajax.php to trigger Revolution Slider’s onAjaxAction function, which in turn can be used to delete slides, import/export slides, and update the plugin(among other tasks.) In the case of the site I cleaned up, they used it to trigger an update to the plugin, which uploaded a remote shell to the site.

From looking around, this vulnerability appears to have been posted relatively recently on several sites and is currently being exploited.

The Vulnerability

This is part of revslider_admin.php. In affected versions, the below gets called, which adds wp_ajax and wp_ajax_nopriv callbacks for the onAjaxAction function.

Since there is no check on whether the user is actually logged in or allowed to make changes to the plugin, it is possible to(among other things) upload files to the server.


self::addActionAjax("ajax_action", "onAjaxAction");

This in turn calls the addActionAjax function, which creates the wp_ajax and wp_ajax_nopriv callbacks.


protected static function addActionAjax($ajaxAction,$eventFunction){
	self::addAction('wp_ajax_'.self::$dir_plugin."_".$ajaxAction, $eventFunction);
	self::addAction('wp_ajax_nopriv_'.self::$dir_plugin."_".$ajaxAction, $eventFunction);

As a result of this, the revslider_ajax_action action gets added, allowing for unprivileged updates. This is not terribly surprising as, at least in early versions of Revolution Slider, security and a deep understanding of wordpress do not seem to have been a concern.

Working Example

The following is a working example. On a vulnerable site, the following will print an ajax response similar to: {“success”:false,”message”:”wrong ajax action: asdf “}.

If you see something to the effect of {“success”:false,”message”:”Wrong request”}, you are probably not vulnerable, but should still verify you are running the most recent version, as there are several known vulnerabilities at this point!

<form method='post' action='/wp-admin/admin-ajax.php'>
<input type='hidden' name='data' value='asdf' />
<input type='hidden' name='client_action' value='asdf' />
<input type='hidden' name='action' value='revslider_ajax_action' />
<input type='submit' />

The reason you see this response is because the switch is called and since asdf is not a recognized action, it triggers the default: self::ajaxResponseError(“wrong ajax action: $action “);

Affected Versions

As stated above, this does not appear to impact newer versions 3.0.95 of revolution slider, as well as versions 1.7.1 and below of Showbiz Pro.

In a newer version I checked, Themepunch appears to have added a nonce called revslider_actions and check that the nonce is present in onAjaxAction prior to actually executing the ajax calls.

Temporary Fix

If you are using an old version of revolution slider, you should update immediately and/or disable the plugin.

As stated before, since this plugin is often included with themes and is a premium plugin, updating it presents several difficulties and is something that a non-tech website owner might not even know they need to do. I feel this leaves something to be desired.

The below should be a quick way to stop the attack.

**Note that the below will only allow people with the privilege to install plugins to work with Revslider’s Ajax calls. You may want to adjust what permission you allow.


public static function onAjaxAction(){

if(!function_exists('current_user_can') || !current_user_can('install_plugins')){

Given that there have been two very serious vulnerabilities reported in the past few months, I would strongly encourage you to upgrade the plugin to the latest version and/or use a different plugin!


Get every new post delivered to your Inbox.

Join 47 other followers