AdGuard Messed Up Their Logging
- Morris Richman
- 2 hours ago
- 2 min read
If you had a conversation with me, there is a good chance you would very quickly hear about my passion for cybersecurity. I first started toying with security research mid-2024. I wanted to understand how systems worked and it was a super fun outlet to do that while simultaneously try to break things. This is my first real public disclosure of how I discovered a security vulnerability.
The Discovery
While "breaking things," I discovered some serious privacy flaws in MacOS's logging system in regards to system apps. That deserves it's own post and totally will be coming at some point, but while looking for additional flaws, I came across a very interesting log message.
Time | Process | Message |
06:47:04.135296-0700 | AdGuardForSafariExtension | AG: Page url: https://google.com |
AdGuard for Safari was printing the url of every request that it encountered via Safari. A vulnerability now also known as CVE-2025-51497.
Reporting The Vulnerability
I reported the vulnerability to AdGuard and Andrey Meshkov, CTO & Co-Founder of AdGuard, responded relatively quickly. Unfortunately, they actually now had two different logging vulnerabilities on their hands and intially confused my report with another vulnerability. Multiple other users had reported logs for actively blocked urls being printed to a file in the sandbox container. This was not too bad since it did not reveal a user's browsing history on its own, but my discovery definitely did.
I then did not hear anything for a few days, so I went looking. It turns out that AdGuard for Safari is entirely open source on GitHub. Given that, I was able to locate the single line of code responsible for this breach in privacy (linked here). I shared the responsible code with Meshkov, and he offered me a small bounty soon after.
Addressing the Vulnerability
This vulnerability was addressed in AdGuard for Safari version 1.11.22 on May 6th 2025 and has been given the CVE number 2025-51497. This logging capability is now disabled by default and can only happen when Verbose Logging is enabled.
If you use AdGuard for Safari and are not already up to date, you can update it via the App Store.
Thank you to Andrey Meshkov and the rest of the team at AdGuard for fixing this so quickly.
Got Questions?
DM or Tweet at me: @morrisinlife
Email me: morris@mcrich23.com