854
AdNauseam is a uBlock fork that goes further: it actively attacks marketers by auto-clicking every ad before blocking (adnauseam.io)
submitted 3 weeks ago by joshchandra@midwest.social to c/technology@lemmy.world
73 comments fedilink hide all child comments

It garbles advertisers' data as a result, but you must disable uBlock Origin to run it; they can't work simultaneously. I recently moved to it and, so far, am never looking back!

you are viewing a single comment's thread
view the rest of the comments
[-] DarkSurferZA@lemmy.world 37 points 3 weeks ago

So the way I understand this to work, it's 100% safe from the type of attack you're describing.

You are clicking the link (asking the advertiser for the data) but then never actually fetching it.

So you can never get the malicious payload to be infected.

[-] Goretantath@lemm.ee 4 points 3 weeks ago

Im too scared to trust it works out fine in the end to use it, been raised on the idea that interacting with an ad in any way other than task managering the pop up is dangerous. Wheres the part of the code that makes it safe and a write up of how it functions, otherwise im fine just blocking ads with regular ublock.

[-] lime@feddit.nu 16 points 3 weeks ago

the part that's safe is in the browser. it's a basic fact of how http requests work that you can just request data and then not read it.

also, "task managering the popups"? unless i've missed some very weird development that has literally never worked, because popup windows are part of the parent process.

[-] medgremlin@midwest.social 4 points 3 weeks ago* (last edited 3 weeks ago)

Back on Windows 95 through XP, each individual window was a process that could be killed in Task Manager, and popups opened in a new window.

[-] lime@feddit.nu 4 points 3 weeks ago

really? sounds like a weird span of systems considering they share so little code. i'd like to read on how they did that.

[-] SaltySalamander@fedia.io 5 points 3 weeks ago

It's wholly incorrect.

[-] medgremlin@midwest.social 1 points 3 weeks ago

I was fairly young, but I do remember using Windows 95 or 98 with Netscape and there were popups that had to be killed through the task manager (or equivalent, it was 30 years ago, so I don't remember precisely).

[-] techt@lemmy.world 4 points 3 weeks ago* (last edited 3 weeks ago)

Here you go, from the repo:

  const visitAd = function (ad) {
    function timeoutError(xhr) {
      return onVisitError.call(xhr, {
        type: 'timeout'
      });
    }

    const url = ad && ad.targetUrl, now = markActivity();

    // tell menu/vault we have a new attempt
    broadcast({
      what: 'adAttempt',
      ad: ad
    });

    if (xhr) {

      if (xhr.delegate.attemptedTs) {

        const elapsed = (now - xhr.delegate.attemptedTs);

        // TODO: why does this happen... a redirect?
        warn('[TRYING] Attempt to reuse xhr from ' + elapsed + " ms ago");

        if (elapsed > visitTimeout)
          timeoutError();
      }
      else {

        warn('[TRYING] Attempt to reuse xhr with no attemptedTs!!', xhr);
      }
    }

    ad.attempts++;
    ad.attemptedTs = now;

    if (!validateTarget(ad)) return deleteAd(ad);

    return sendXhr(ad);
    // return openAdInNewTab(ad);
    // return popUnderAd(ad)
  };

  const sendXhr = function (ad) {

    // if we've parsed an obfuscated target, use it
    const target = ad.parsedTargetUrl || ad.targetUrl;

    log('[TRYING] ' + adinfo(ad), ad.targetUrl);

    xhr = new XMLHttpRequest();

    try {
      xhr.open('get', target, true);
      xhr.withCredentials = true;
      xhr.delegate = ad;
      xhr.timeout = visitTimeout;
      xhr.onload = onVisitResponse;
      xhr.onerror = onVisitError;
      xhr.ontimeout = onVisitError;
      xhr.responseType = ''; // 'document'?;
      xhr.send();
    } catch (e) {
      onVisitError.call(xhr, e);
    }
  }

  const onVisitResponse = function () {

    this.onload = this.onerror = this.ontimeout = null;

    markActivity();

    const ad = this.delegate;

    if (!ad) {

      return err('Request received without Ad: ' + this.responseURL);
    }

    if (!ad.id) {

      return warn("Visit response from deleted ad! ", ad);
    }

    ad.attemptedTs = 0; // reset as visit no longer in progress

    const status = this.status || 200, html = this.responseText;

    if (failAllVisits || status < 200 || status >= 300) {
      return onVisitError.call(this, {
        status: status,
        responseText: html
      });
    }

    try {

      if (!isFacebookExternal(this, ad)) {

        updateAdOnSuccess(this, ad, parseTitle(this));
      }

    } catch (e) {

      warn(e.message);
    }

    xhr = null; // end the visit
  };

That's pretty much it! Let me know if it doesn't make sense, I can annotate it

this post was submitted on 02 Apr 2025
854 points (100.0% liked)

Technology

69298 readers
3589 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws