- A Chrome ad blocker with over 10 million installs can be configured to execute arbitrary JavaScript code remotely.
- The extension, Adblock for YouTube, runs on all websites, not just YouTube, due to a flawed URL check.
- The dormant capability requires only a server-side change, not an extension update or store review, to activate.
- Researchers found ties to several other ad-blocking extensions previously removed from the Chrome Web Store for malware.
A popular Google Chrome extension used to block ads on YouTube poses a significant security risk, according to researchers from Island. Their analysis, detailed in a report, reveals the “Adblock for YouTube” extension has the hidden ability to execute arbitrary JavaScript code on any website a user visits. This widely installed tool, which carries a Featured badge on the Chrome Web Store, has more than 10 million users.
The extension’s description promises to block ads on YouTube and external sites. However, researchers Oleg Zaytsev and Shachar Gritzman discovered it contains “the architectural ingredients for arbitrary JavaScript execution.” They stated this capability could be activated by “a single server-side configuration change, without an extension update.” Consequently, a malicious actor could potentially read pages and steal sensitive data from personal or work accounts.
This risk is heightened because the extension runs on every website, not just YouTube.com. Its security check only looks for the “youtube.com” string anywhere in a URL, a flaw that is easily bypassed. For example, a visit to “bank.example.com/search?q=youtube.com” would trigger the extension. Meanwhile, the extension has historical connections to other ad blockers like Adblock for Chrome that were removed for malware.
The researchers emphasized that the dangerous script injection path has been present since February 2025. They noted, “The capability is dormant, not absent.” Island’s report stresses the combination of factors: high install counts, all-site access, and a remote-controlled injection path. The Hacker News has reached out to the developer for comment. This disclosure follows Palo Alto Networks Unit 42 finding 18 malicious browser extensions, as detailed in their threat intelligence report.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
