########################################################################################## ADBLK-25: Block Catapult Anti-Adblock Domains ########################################################################################## Issue Type: Task ----------------------------------------------------------------------------------------- Issue Information ==================== Priority: Major Status: Open Resolution: Unresolved Project: Adblock Lists (ADBLK) Reported By: btasker Assigned To: btasker Time Estimate: 0 minutes Time Logged: 0 minutes ----------------------------------------------------------------------------------------- Issue Description ================== Observed being distributed via BunnyCDN and Cloudfront. - https://voldffgkdsllkjthlkjt.b-cdn.net/safe/safe.js - https://d1hnzacu959ev8.cloudfront.net/app.min.js Hitting either domain with an non existing file results in Cannot GET /catapult/[something]. For the latter domain it's catapult/iliffe for the former it's catapult/adblockrelief The name Catapult appears within the codebase as well. The BunnyCDN based domain uses the flawed approach previously observed with Admiral - claiming that "circumvention" of the code is a violation of DMCA. ----------------------------------------------------------------------------------------- Activity ========== ----------------------------------------------------------------------------------------- 2020-12-07 15:18:26 btasker ----------------------------------------------------------------------------------------- app.min.js will bail if it can't download the safe.js file - so blocking the latter is actually sufficient -- BEGIN SNIPPET -- if (this.google_analytics_manager = e, this.ADBLOCKER_DETECTED = !1, !document.SAFERELIEF) return console.log("We have been unable to download the SAFERELIEF sentinel. Bailing."), void(this.ADBLOCKER_DETECTED = !1); -- END SNIPPET -- However, this domain is clearly only intended to serve tracking code, so it makes more sense to block both anyway. app.min.js refers to a bunch of other "ad" scripts (these are actually canary scripts). They contain heavily obfuscated code -- BEGIN SNIPPET -- e.DownloadCanaryPair("//d35eux0j7ldw19.cloudfront.net", "/ads/ads.js") : 1 == t ? e.DownloadCanaryPair("//fjhsjkfhwqeirusdfjkh.azureedge.net", "/ads/ads.js") : 2 == t ? e.DownloadCanaryPair("//fjhsjkfhwqeirusdfjkh.azureedge.net", "/adv/ads.js") : 3 == t ? e.DownloadCanaryPair("//wejhrtlhjkltvicuiuyd.b-cdn.net", "/adv/ads.js") : 4 == t ? e.DownloadCanaryPair("//wejhrtlhjkltvicuiuyd.b-cdn.net", "/ads/ads.js") : 5 == t ? e.DownloadCanaryPair("//voldffgkdsllkjthlkjt.b-cdn.net", "/ads/ads.js") : e.DownloadCanaryPair("//d35eux0j7ldw19.cloudfront.net", "/ads/ads.js") -- END SNIPPET -- Giving us the following -- BEGIN SNIPPET -- d35eux0j7ldw19.cloudfront.net/ads/ads.js fjhsjkfhwqeirusdfjkh.azureedge.net/ads/ads.js fjhsjkfhwqeirusdfjkh.azureedge.net/adv/ads.js wejhrtlhjkltvicuiuyd.b-cdn.net/adv/ads.js wejhrtlhjkltvicuiuyd.b-cdn.net/ads/ads.js voldffgkdsllkjthlkjt.b-cdn.net/ads/ads.js d35eux0j7ldw19.cloudfront.net/ads/ads.js -- END SNIPPET -- Again, probably better to just block the entire domains so that they can't later be used to serve the anti-adblock stuff (while whitelisting those files would nobble the canary, you're then at the mercy of whatever their code is doing) ----------------------------------------------------------------------------------------- 2020-12-07 15:25:26 btasker ----------------------------------------------------------------------------------------- -- BEGIN QUOTE -- For the former domain it's catapult/iliffe -- END QUOTE -- Ahhh iliffe is a news publisher - they're obviously the customer. Which means that d1hnzacu959ev8.cloudfront.net is publisher specific - there's not much point blocking it as we can block that safe file instead ----------------------------------------------------------------------------------------- 2020-12-07 15:29:54 btasker ----------------------------------------------------------------------------------------- The anti-adblock screen is integrated with Jamatto Micropayments (Jamatto.com). I'm not going to block them, as they're simply providing a micropayments service and (AFAICT) are just used by the anti-adblock solution rather than being behind it. ----------------------------------------------------------------------------------------- 2020-12-07 15:49:45 btasker ----------------------------------------------------------------------------------------- There's an example of another CatapultTools instance linked to from here - https://github.com/uBlockOrigin/uAssets/issues/5994 This time the page loads - https://d3mrx7ldhjaklg.cloudfront.net/app.min.js (account name seemingly spp) It bailed out because the "sentinel" (safe.js) couldn't be downloaded. The canary pages in that are exactly the same as for the other - most likely the Cloudfront distribution sends a custom request header upstream to indicate which customer/publisher the requests are being served for. So, the currently committed blocks work - but, if they move their sentinel to a new domain it may start triggering again. ----------------------------------------------------------------------------------------- 2020-12-07 15:50:50 btasker ----------------------------------------------------------------------------------------- Blocks were committed here - https://github.com/bentasker/adblocklists/commit/940137696a77504435d8e81d264670e9484dbbc7 - seems I've accidentally broken the webhooks ----------------------------------------------------------------------------------------- 2020-12-07 15:54:55 git ----------------------------------------------------------------------------------------- -- BEGIN QUOTE -- Repo: adblocklists Commit: 940137696a77504435d8e81d264670e9484dbbc7 Author: B Tasker