Cyber Security

Chrome Ad Blocker with 10M+ Installs Found to Have Malicious Script Injection Capability

An analysis of YouTube’s popular Google Chrome ad-blocking extension revealed the potential to run malicious JavaScript code.

According to the Island, the extension, named Adblock for YouTube (ID: cmedhionkhpnakcndndgjdbohmhepckk), has over 10 million installs and holds the Chrome Web Store Featured badge.

The extension description says it allows users to block web page features such as ads, including pre-written ads, from being displayed on video sharing sites, as well as on external sites that host YouTube. While the add-on provides the promised functionality, it also has the ability to use arbitrary JavaScript code.

“It also contains the building blocks for arbitrary JavaScript execution on any website, activated by a unilateral server configuration change, without an extension update, without a store update, and without a visible sign that anything has changed,” said researchers Oleg Zaytsev and Shachar Gritzman in a report shared with Hacker News.

“In practical terms, that can mean reading pages, stealing data, and acting as a user within personal accounts, work applications, control panels, and other sensitive browser sessions.”

It’s worth emphasizing here that there is no evidence that a malicious payload has been distributed to users in this way, but the mere existence of the capability, combined with links to other ad-blocking extensions removed from the malware storefront, raises privacy and security risks, Island added.

The list of related extensions that have been dropped is listed below –

  • Adblock for Chrome (ID: onomjaelhagjjojbkcafidnepbfkpnee)
  • Adblock for You (ID: ogcaehilgakehloljjmajoempaflmdci)
  • AdBlock Suite (ID: gekoepiplklhniacchbbgbhilidiojmb)

Adblock for YouTube has been in the Chrome Web Store since 2014, starting out as a basic YouTube blocker before changing ownership four years later. An early iteration of the extension was found to ship with an ad injection software development kit (SDK) called Unistream SDK, although it was removed in June 2024.

What has always been the presence of remote script injections since February 2025, which opens the door to the creation of inappropriate “

“At the time of our analysis, the trusted-creation factor was not working on the server’s response,” the researchers explained. “The ability is static, it doesn’t exist. Enabling it requires one server-side change, no extension update, no store update.”

Adding to the risk is the fact that ad-blocking extensions often request extensive permissions to inspect requests, change pages, hide features, and adjust their behavior as ad systems change.

Specifically, it was found that contrary to its name, the extension works on every website the user visits in the browser, while adding a check that works only if the current URL contains “youtube.com.” However, in practice, the test only verifies if the string matching “youtube.com” appears anywhere in the URL, and does not verify the host name, frame origin, or embedded player context.

This means that the check can be partially bypassed by putting youtube.com anywhere in the URL, as shown in the following URL patterns –

  • www.facebook.com/page?ref=youtube.com
  • bank.example.com/search?q=youtube.com
  • internal.corp.com/redirect?from=youtube.com

“The concern is not one suspicious line of code,” Island said. “It’s a combination: a high-profile extension with site-wide access, a remote injection mechanism, an ad injection infrastructure, massive ownership and codebase changes, and related extensions that have been removed from the Chrome Web Store for malware.”

Hacker News has reached out to the developer of the extension for comment, and we’ll update the story when asked.

The disclosure comes as Palo Alto Networks Unit 42 said it found 18 browser extensions masquerading as consumer products for the purpose of monetizing affiliate marketing.

“When installed, all extensions open the .shop domain in a new tab,” Unit 42 said. “The .shop domain redirects to another domain. The domain presents a page stating that further action is required. The page cites incompatibility issues and asks users to install a gaming-oriented browser.”

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button