CybersecurityHacking

Popular Chrome Ad Blocker Exposes Script Injection Risk

Analyst 207||Source: TheHackerNews
Google Chrome browser window on laptop with YouTube open, surrounded by home office setting.
"It also contains the architectural ingredients for arbitrary JavaScript execution on any website, activated by a single server-side configuration change, without an extension update, without a store review, and without any visible sign that something has changed," researchers Oleg Zaytsev and Shachar Gritzman wrote in a report shared with The Hacker News.

The subject of that warning is Adblock for YouTube (ID: cmedhionkhpnakcndndgjdbohmhepckk), a Google Chrome extension with more than 10 million installs and a Featured badge on the Chrome Web Store. Marketed as a tool to prevent ads — including preroll ads — on YouTube and on external sites that load YouTube, the extension includes code paths that can, if activated, inject arbitrary JavaScript into pages visited by users.

How the injection capability is built: "trusted-create-element"

Island's analysis, replicated in reporting by The Hacker News, found a bespoke scriptlet rule in the extension's code named "trusted-create-element." That rule allows the creation of arbitrary <script> elements that can execute JavaScript in the context of any webpage the browser visits. According to the researchers, the mechanism has been present in the extension's remote-controlled script paths since February 2025.

The critical detail is not merely that the code exists, but how it can be enabled: by a single configuration change on the extension's server. Researchers stressed the capability was "dormant, not absent" at the time of analysis; activating it would require no extension update, no Chrome Web Store review, and would leave no visible change to users, creating the potential to read pages, steal data, or act as the user inside personal accounts and admin panels, the report said.

Permissions, URL checking, and the all-site attack surface

Contrary to the extension's name and stated focus, Island found the add-on runs on every website a user visits. The code adds a check intended to activate behavior only when the current URL contains "youtube.com," but the check merely searches for the string anywhere in the URL rather than validating the hostname, frame origin, or the embedded-player context.

Researchers demonstrated that the check can be trivially bypassed by embedding "youtube.com" in a parameter or path component of unrelated URLs. Examples given include:

  • www.facebook.com/page?ref=youtube.com
  • bank.example.com/search?q=youtube.com
  • internal.corp.com/redirect?from=youtube.com

Because the extension requests broad permissions typical of ad blockers — to inspect requests, alter pages, and hide elements — the combination of all-site access and a remotely controllable injection path magnifies potential risk, Island warned.

History: ownership change and prior ad-injection SDK

Adblock for YouTube has been available on the Chrome Web Store since 2014. The extension changed ownership four years later. Early iterations of the add-on shipped with an ad-injection software development kit named Unistream SDK; that SDK was removed in June 2024, the analysis notes.

Island also flagged ties between this extension and other ad-blocking extensions that were removed from the Chrome Web Store for malware. The report lists three related extensions that have been taken down, including their extension IDs:

  • Adblock for Chrome (ID: onomjaelhagjjojbkcafidnepbfkpnee)
  • Adblock for You (ID: ogcaehilgakehloljjmajoempaflmdci)
  • AdBlock Suite (ID: gekoepiplklhniacchbbgbhilidiojmb)

What this means for technologists, enterprises, and end users

  • Technologists and security teams: The ability to toggle a powerful injection feature by changing a server-side configuration — without an update or store review — creates a new operational risk vector to monitor in browser extension inventories and allowlists.
  • Enterprises and procurement leaders: Extensions that claim narrow functionality but run on all sites and request broad permissions should be evaluated for provenance and historical behavior, particularly when related extensions have been removed for malware.
  • End users: Although there is no evidence in the published report that the capability has been used to deliver a malicious payload, the mere presence of dormant remote-controlled injection code, combined with the extension's high-install base, raises privacy and security concerns that users may want to weigh before installing or keeping the add-on.

Wider context and final note

The disclosure arrives alongside separate findings from Palo Alto Networks Unit 42, which reported detecting 18 browser extensions impersonating consumer brands and seeking to monetize through affiliate marketing; Unit 42 said those extensions open a .shop domain on installation and then guide users to install additional software.

The Hacker News contacted the developer of Adblock for YouTube for comment and said it will update the story if a response is received. For now the facts are straightforward: an extension with more than 10 million installs contains code that can be remotely activated to inject scripts across the web, activation requires only a server-side flip, and related prior behavior and removals increase the stakes. Whether that dormant capability remains unused or becomes weaponized depends on decisions outside the user's control — by the extension's operator and by the platform's oversight mechanisms.

Original reporting: https://thehackernews.com/2026/06/chrome-ad-blocker-with-10m-installs.html

Emerging ThreatsGoogle ChromeSupply Chain RiskArbitrary Code ExecutionJavascript InjectionBrowser ExtensionChrome Ad BlockerAdblockWeb Store Vulnerability
Related Intelligence

Continue Reading

Hospital corridor with healthcare professionals, laptop on workstation, and patient room door in background.

Healthcare Sector Braces for Looming Cyberattack Threats

With AI now a staple in 93% of healthcare practices, the stage is set for a new wave of technological advancements - but also for looming cyberattack threats that have 61% of organizations bracing for a potentially fatal impact within the next five years.

Analyst 207
Modern office interior with laptop, monitors, and equipment, featuring abstract network representation in background.

CISA Guides Agencies Toward SASE for Zero Trust Adoption

CISA's new guidance is helping federal agencies ditch outdated internet gateways and make the leap to Secure Access Service Edge (SASE) technology, a key step towards adopting zero-trust architectures. By making this shift, agencies can unlock the benefits of zero-trust security and leave legacy perimeter-based models behind.

Analyst 207
Technologists monitor screens in a bright, modern network operations center with a large window showing natural daylight.

Network Detection and Response Gains Urgency in AI-Driven Threat Era

In today's AI-driven threat landscape, organizations need to move beyond prevention and adopt a more proactive approach, focusing on network detection and response to swiftly identify and disrupt malicious activity. By doing so, they can effectively mitigate vulnerabilities and contain threats before they escalate into full-blown breaches.

Analyst 207
Empty conference room with laptops and notebooks on a table, and a blank whiteboard on the wall, lit by natural daylight.

Confidence in Automated AI Vulnerability Scanning Plummets

Confidence in automated AI vulnerability scanning has taken a nosedive, with a recent survey revealing a dramatic drop from 29% to 9% in organizations relying solely on AI for testing. Instead, nearly half are turning to a hybrid approach, combining AI with human expertise for more reliable results.

Analyst 207