iam-py-testAdaware AdBlock claims to be "The fastest and safest ad blocker". But what is reality? 🧵
Adaware AdBlock is based on uBlock Origin, a fact they do admit albeit seemingly only on the extension's "About" page.
The filterlists appear to be the same selection as uBo, but with #EasyPrivacy and #PeterLowe disabled
The oddest change, however, is in the "Trusted sites": They have completely disabled uBo on a long list of websites including but not limited to Yahoo, OutLook, Microsoft, and Google (full list: https://gist.github.com/iam-py-test/efd68a122c641b6f511bcc1f952c1d6b).
They claim on the support docs "The exceptions list exists out of respect for the reputable online publishers we work with through our other products. We do not generate revenue from this list. " (https://support.adaware.com/hc/en-us/articles/360046344632-WHY-DOES-ADAWARE-AD-BLOCK-HAVE-AN-EXCEPTIONS-LIST-)
They claim on the support docs "The exceptions list exists out of respect for the reputable online publishers we work with through our other products. We do not generate revenue from this list. " (https://support.adaware.com/hc/en-us/articles/360046344632-WHY-DOES-ADAWARE-AD-BLOCK-HAVE-AN-EXCEPTIONS-LIST-)
As an aside, their support website has something weird going on with their capitalization. Half the articles are in ALL CAPS for seemingly no reason, and they are inconsistent with how they capitalize "ad block"
More disturbingly, they appear to have added tracking code which sends an install ID, install date, locale, browser name and version, OS, and extension version to hxxps://flow.lavasoft[.]com/v1/event-stat? when the extension is installed
It also notifies the server when it is updated, and *whenever the browser is started*. It also pings the server once a day.
And it gets worse. Digging into it further, it seems that on install, it looks for the Chrome Webstore page you used to install it, and grabs tracking parameters from it's URL, and stores the content of these parameters. It graps the following parameters:
- partnerId (I guess to figure out what affiliate convinced you to install their extension)
- campaignId
- sourceTraffic
- bundleId
- offerId
I think all of this is sent to the server when the extension is installed, updated, when the browser is launched, and once every day.
For some reason, it only looks for the Chrome Web Store, and not the Firefox addons page.
Keep in mind that even if you use Actually Legitimate URL Shortener Tool, AdGuard URL Tracking Protection, or ClearURLs, you are not safe. In Chrome (and possibly some other Chromium browsers), the Chrome Web Store is protected, meaning extensions can not access it. This means none of these extensions can remove these tracking parameters.
- partnerId (I guess to figure out what affiliate convinced you to install their extension)
- campaignId
- sourceTraffic
- bundleId
- offerId
I think all of this is sent to the server when the extension is installed, updated, when the browser is launched, and once every day.
For some reason, it only looks for the Chrome Web Store, and not the Firefox addons page.
Keep in mind that even if you use Actually Legitimate URL Shortener Tool, AdGuard URL Tracking Protection, or ClearURLs, you are not safe. In Chrome (and possibly some other Chromium browsers), the Chrome Web Store is protected, meaning extensions can not access it. This means none of these extensions can remove these tracking parameters.
Fear not, for they even track you on uninstall, by setting what page opens when you uninstall the extension and tacking on a ton of tracking parameters. They add:
- the install date
- your *unique* install ID
- the browser extension ID (which is Firefox *is unique to each install; in Chromium it is unique to each extension, and thus meaningless)
- some of the tracking stuff from my earlier toot (specifically the campaign ID, affiliate ID, the "install source" - which is set by the affiliate, bundle ID, and offer ID)
All of this is tacked onto hxxps://www.surveymonkey.com/r/AdawareAdBlock_Uninstallation?
I am not sure if Survey Monkey actually records the content of these tracking parameters, but it's still not great to have that data sent to a remote server
Interestingly, it seems to be above their pay grade to modify assets.json (which controls what filterlists are included in uBlock Origin and contains data such as their names and if they are enabled), so they just modify the list of installed filterlists at runtime. Hence why EasyPrivacy and Peter Lowe remain and merely look as if someone just turned them off.
I will give them some credit: they didn't obfuscate, minify, or otherwise try to hide their code. They even have left some comments, albeit not that many. There also seems to be some calls to console.debug which they commented out.
It would appear this is based off a version of uBlock Origin from no later than the 14th of June of this year, as that is the date on the Online Malicious URL Blocklist, which is automatically updated every day. Peter's list shows as being updated the 13th, further confirming this hypothesis.
Thus, it should be based off the latest stable version of uBlock Origin, which is 1.50.0.
1.50.0 was released on June 7th. I'm not familiar with the uBo build process, so I am not sure how it could have assets from after that date.
It is not beta version 1.50.1b0 as it lacks the set-cookie scriptlet, which was added in that version.
1.50.0 was released on June 7th. I'm not familiar with the uBo build process, so I am not sure how it could have assets from after that date.
It is not beta version 1.50.1b0 as it lacks the set-cookie scriptlet, which was added in that version.
Back in the assets/thirdparties folder, there is an interesting addition: a folder named adaware containing a file named acs.txt
That file contains a list of domains. I assume this is their malicious website blocking.
Funny they call it a "cloud". There isn't anything cloudy about a list of domains.
When I visit one, I get a weird broken block page.
That file contains a list of domains. I assume this is their malicious website blocking.
Funny they call it a "cloud". There isn't anything cloudy about a list of domains.
When I visit one, I get a weird broken block page.
The logger (which I was able to get to via going to logger-ui.html) doesn't even register the page being blocked, so I have no idea how it is working on the inside.
Their "Block popups" just flips the "no-popups:" internal switch in uBo. Which, to be fair, is what the button in the real uBo does.
Adaware is owned by BVRP Software SA. BVRP also owns Avanquest, who make useless software such as driver updaters and registry cleaners. I also currently have them blocklisted in the MWB.
Really builds confidence.
Really builds confidence.
TLDR: it's yet another clone of uBlock Origin clone with tracking added. No reason to use it. Just use #uBlockOrigin
Jerry> The oddest change, however, is in the "Trusted sites": They have completely disabled uBo on a long list of websites including but not limited to Yahoo, OutLook, Microsoft, and Google
For others that is about to misunderstand this sentence...
Then, This Malicious software have disabled Ublock Ogirin as a "Trusted site" WHILE they have ADDED malicious and very dangerous site like #Google #Micrsoft and #Yahoo
Sorry for writing this addendum @iampytest1 but I got confused and thought something else.
PS: is this the addon from adaware\.com (https://0xacab.org/my-privacy-dns/matrix/-/issues/7604) or something else we should have stopped ASAP?
@JerryMouse Yes: It is the same.
Sorry for writing that in a confusing manner.
Sorry for writing that in a confusing manner.
@iampytest1 Don't worry, my thought also happens to be ahead of my typing :)
@iampytest1 Come to revisit the domain as I found I've forgotten to add it to our malicious category (Was on the source lists, don't worry) but then I come to stumble on the link for "buying" the malicious software... Never seen this much tracking code for buying a product
https\://store\.adaware\.com/clickgate/join.aspx?ref=adaware.com/free-antivirus-download&ujid=0VXbFykx2LA%3D&mkey3=web_body
Damned, and that should be a "Antivirus + Privacy + PC Performance" product...
Leaving the picture for other to judge for them self 😏
UPDATE:
Oh it is just getting better and better 😄 have a smile and a 🍪