An analysis of the popular **Google Chrome** ad block extension for YouTube has uncovered a significant security vulnerability: the ability to execute arbitrary JavaScript code. According to security firm **Island**, the extension, named **Adblock for YouTube** (ID: cmedhionkhpnakcndndgjdbohmhepckk), boasts more than 10 million installs and holds a **Featured badge** on the **Chrome Web Store**. ### Hidden Capabilities and Potential Risks The extension's description promises to block ads, including pre-roll ads, on **YouTube** and external sites that embed **YouTube** content. While it delivers on this core functionality, researchers Oleg Zaytsev and Shachar Gritzman from **Island** revealed a more concerning capability. "It also contains the architectural ingredients for arbitrary JavaScript execution on any website, activated by a single server-side configuration change, without an extension update, without a store review, and without any visible sign that something has changed," the researchers stated in their report. "In practical terms, that could mean reading pages, stealing data, and acting as the user inside personal accounts, work apps, admin panels, and other sensitive browser sessions." It's crucial to note that there is currently no evidence of malicious payloads being distributed through this mechanism. However, the mere presence of this capability, combined with its ties to other ad-blocking extensions previously removed from the storefront for malware, raises serious privacy and security concerns. ### Troubling Connections and History **Island** highlighted a list of related ad-blocking extensions that have been taken down from the **Chrome Web Store**: * Adblock for Chrome (ID: onomjaelhagjjojbkcafidnepbfkpnee) * Adblock for You (ID: ogcaehilgakehloljjmajoempaflmdci) * AdBlock Suite (ID: gekoepiplklhniacchbbgbhilidiojmb) **Adblock for YouTube** has been available on the **Chrome Web Store** since 2014. After starting as a basic ad blocker, it underwent an ownership change four years later. Earlier versions of the extension were found to include an ad-injection software development kit (SDK) called **Unistream SDK**, which was removed in June 2024.  ### Persistent Vulnerability and Bypass Methods Despite the removal of the **Unistream SDK**, remote-controlled script injection paths have been consistently present since February 2025 (likely a typo, intended as 2015 or earlier), enabling the creation of arbitrary `<script>` elements. This is facilitated by a custom scriptlet rule, "trusted-create-element," defined by the extension's author, which can access sensitive data. "At the time of our analysis, trusted-create-element was not active in the server response," the researchers explained. "The capability is dormant, not absent. Activating it requires a single server-side change, no extension update, no store review." The risk is further exacerbated by the extensive permissions typically requested by ad blocker extensions, which allow them to inspect requests, alter pages, hide elements, and adapt to evolving ad systems. Counter-intuitively, the extension operates on every website a user visits, despite a check designed to activate only when the URL contains "youtube.com." However, this check is easily bypassed as it merely verifies the presence of the string "youtube.com" anywhere in the URL, failing to validate the hostname, frame origin, or embedded player context. This allows for trivial bypasses through URL patterns such as: * `www.facebook.com/page?ref=youtube.com` * `bank.example.com/search?q=youtube.com` * `internal.corp.com/redirect?from=youtube.com` **Island** summarized the severity: "The concern is not a single suspicious line of code. It is the combination: a high-install extension with all-site access, a remote-controlled injection path, prior ad-injection infrastructure, a major ownership and codebase change, and related extensions that were removed from the Chrome Web Store for malware." ### Broader Extension Risks This disclosure follows a separate report from **Palo Alto Networks Unit 42**, which identified 18 browser extensions impersonating consumer brands. These extensions aimed to monetize through affiliate marketing. "Upon installation, all extensions open the .shop domain in a new tab," **Unit 42** stated. "The .shop domain redirects to another domain. The domain presents a page citing that further action is required. The page cites incompatibility issues and asks users to install a gaming-oriented browser." These incidents underscore the critical need for users and organizations to exercise extreme caution when installing browser extensions, even those with high ratings or official endorsements.