>But I don't know how to make an adblocker, so I decided to report the issue to Google in August 2023. It was patched in Chrome 118 by checking whether extensions using opt_webViewInstanceId actually had WebView permissions. For the report, I netted a massive reward of $0. They decided it wasn't a security issue, and honestly, I agree, because it didn't give extensions access to data they didn't already have.
The effort to overcome the community's chance at discovering the workaround?
It was never going to last long enough anyways, being sure to get patched as soon as any adblocker uses it.
It's however still interesting in the sense that it might be fairly trivial to change, so chances are the next adblockers are going to ship executable that wrap chrome, modifying something like that at launch, allowing their extension to make use of it.
Obviously Google is going to hate it when random popular extensions start nagging users to download and install "companion" software in order to work, since that will train users to not think twice about these things and bypasses legitimate security efforts.
But Google made their own bed - and that of their users. Now they all get to lie in it together.
Once the legitimate adblock extensions have made the tech news cycle by switching to an executable, all the sketchy adblock extensions will follow, and after them the downright malicious but heavily advertised adblock extensions. Before long Google will have plenty of examples to point to of adblockers shipping malware, allowing them to scare off all the tech-illiterate people (who are the vast majority of users)
The effort to overcome the community's chance at discovering the workaround?