Analysis of a popular Google Chrome ad block extension for YouTube has revealed the ability to execute arbitrary JavaScript code.
According to the island, extent, name adblock for youtube (ID: cmedhionkhpnakcndndgjdbohmhepckk), has over 10 million installs and holds a Featured badge on the Chrome Web Store.
The extension description states that it allows users to prevent web page elements such as ads, including preroll ads, from appearing on video sharing platforms as well as external sites that load YouTube. While the add-on provides the promised functionality, it also includes capabilities to run arbitrary JavaScript code.
“It also includes architectural tools for arbitrary JavaScript execution on any website, activated by a single server-side configuration change, without any extension update, without store review, and without any visual indication that something has changed,” researchers Oleg Zaytsev and Shachar Gritzman said in a report shared with The Hacker News.
“In practice, this could mean reading pages, stealing data, and impersonating users inside personal accounts, work apps, admin panels, and other sensitive browser sessions.”
It’s important to emphasize here that there is no evidence of malicious payloads being delivered to users in this manner, but the mere presence of the capability, combined with other ad-blocking extensions that have since been removed from storefronts for malware, raises privacy and security risks, Island said.
The list of removed related extensions is listed below –
- AdBlock for Chrome (ID: onomjaelagjjojbkcafidnepbfkpnee)
- Adblock for you (ID: ogcaehilgakehloljjmajoempaflmdci)
- AdBlock Suite (ID: gekoepiplklhniacchbbgbhilidiojmb)
Adblock for YouTube has been on the Chrome Web Store since 2014, starting as a basic YouTube ad blocker before changing ownership four years later. Early iterations of the extension were found to be shipped with an ad-injection software development kit (SDK) called Unistream SDK, although this was removed in June 2024.
The presence of remote-controlled script injection paths remains persistent since February 2025, which can be created arbitrarily using a bespoke scriptlet rule (“trusted-create-element”) defined by the extension author.<स्क्रिप्ट> elements, which can, in turn, access sensitive data.
“At the time of our analysis, the trusted-create-element server was not active in response,” the researchers reported. “The capability is dormant, not absent. It requires a single server-side change, no extension update, no store review to activate.”
Further increasing the risk is the fact that ad blocking extensions typically request broad permissions to inspect requests, change pages, hide elements, and adjust their behavior as ad systems evolve.
Specifically, it was found that, contrary to its name, the extension runs on every website the user visits on the browser, while adding a check that only activates if the current URL contains “youtube.com”. However, in reality, the check only verifies that the string corresponding to “youtube.com” appears anywhere in the URL, and does not validate the hostname, frame origin, or embedded player context.
This means that the check can be bypassed by inserting youtube.com anywhere in the URL, as shown in the following URL pattern –
- www.facebook.com/page?ref=youtube.com
- bank.example.com/search?q=youtube.com
- internal.corp.com/redirect?from=youtube.com
“There is not a single suspicious line of code that is of concern,” Island said. “It is the combination of: a highly-installed extension with all-site access, a remote-controlled injection path, former ad-injection infrastructure, a major ownership and codebase change, and associated extensions that were removed from the Chrome Web Store for malware.”
Hacker News has contacted the extension’s developer for comment, and we will update the story if we hear back.
The revelation came after Palo Alto Networks Unit 42 said it had detected 18 browser extensions impersonating consumer brands for the purpose of monetizing through affiliate marketing.
Unit 42 states, “Upon installation, all extensions open the .shop domain in a new tab.” “.shop domain redirects to another domain. The domain presents a page saying that further action is required. The page cites incompatibility issues and asks users to install a gaming-oriented browser.”
