An evaluation of a preferred Google Chrome advert block extension for YouTube has uncovered the flexibility to execute arbitrary JavaScript code.
Based on Island, the extension, named Adblock for YouTube (ID: cmedhionkhpnakcndndgjdbohmhepckk), has greater than 10 million installs and carries a Featured badge on the Chrome Net Retailer.
The extension description states that it permits customers to forestall net web page components like advertisements, together with preroll advertisements, from being displayed on the video sharing platform, in addition to on exterior websites that load YouTube. Whereas the add-on affords the promised performance, it additionally options capabilities to run arbitrary JavaScript code.
“It additionally comprises the architectural elements for arbitrary JavaScript execution on any web site, activated by a single server-side configuration change, with out an extension replace, and not using a retailer evaluation, and with none seen signal that one thing has modified,” researchers Oleg Zaytsev and Shachar Gritzman stated in a report shared with The Hacker Information.
“In sensible phrases, that might imply studying pages, stealing knowledge, and performing because the consumer inside private accounts, work apps, admin panels, and different delicate browser periods.”
It is value emphasizing right here that there isn’t a proof malicious payload has been distributed to customers on this method, however the mere presence of the aptitude, coupled with ties to different ad-blocking extensions which have since been faraway from the storefront for malware, raises privateness and safety dangers, Island added.
The listing of associated extensions which have been taken down is listed beneath –
- Adblock for Chrome (ID: onomjaelhagjjojbkcafidnepbfkpnee)
- Adblock for You (ID: ogcaehilgakehloljjmajoempaflmdci)
- AdBlock Suite (ID: gekoepiplklhniacchbbgbhilidiojmb)
Adblock for YouTube has been on the Chrome Net Retailer since 2014, beginning off as a fundamental YouTube advert blocker earlier than it modified possession 4 years later. Early iterations of the extension had been discovered to ship with an ad-injection software program improvement package (SDK) named Unistream SDK, though it was eliminated in June 2024.
What’s been fixed is the presence of remote-controlled script injection paths since February 2025, opening the door to the creation of arbitrary “
“On the time of our evaluation, trusted-create-element was not lively within the server response,” the researchers defined. “The potential is dormant, not absent. Activating it requires a single server-side change, no extension replace, no retailer evaluation.”
Compounding the chance additional is the truth that advert blocker extensions sometimes request in depth permissions to examine requests, alter pages, conceal components, and regulate their conduct as advert programs evolve.
Particularly, it has been discovered that opposite to its identify, the extension runs on each web site a consumer visits on the browser, whereas including a examine that prompts solely when the present URL comprises “youtube.com.” Nonetheless, in actuality, the examine solely verifies if the string similar to “youtube.com” seems anyplace within the URL, and doesn’t validate the hostname, body origin, or embedded participant context.
Which means that the examine could be trivially bypassed by placing youtube.com anyplace within the URL, as depicted within the following URL patterns –
- www.fb.com/web page?ref=youtube.com
- financial institution.instance.com/search?q=youtube.com
- inside.corp.com/redirect?from=youtube.com
“The priority is just not a single suspicious line of code,” Island stated. “It’s the mixture: a high-install extension with all-site entry, a remote-controlled injection path, prior ad-injection infrastructure, a significant possession and codebase change, and associated extensions that had been faraway from the Chrome Net Retailer for malware.”
The Hacker Information has contacted the developer of the extension for remark, and we’ll replace the story if we hear again.
The disclosure comes as Palo Alto Networks Unit 42 stated it detected 18 browser extensions impersonating shopper manufacturers with an purpose to monetize by way of affiliate internet marketing.
“Upon set up, all extensions open the .store area in a brand new tab,” Unit 42 stated. “The .store area redirects to a different area. The area presents a web page citing that additional motion is required. The web page cites incompatibility points and asks customers to put in a gaming-oriented browser.”
