Adblock for YouTube Chrome Extension Hides Dormant JavaScript Injection
Published
Key Takeaways
- Extension Identified: Adblock for YouTube, a Chrome extension with more than 10 million installs, was flagged for hidden risk.
- Threat Type: Researchers found dormant JavaScript injection paths capable of running code in users' browsers.
- Impact: The extension has more than 10 million installs and a Featured badge on the Chrome Web Store.
Dormant JavaScript injection capabilities inside Adblock for YouTube, a popular Chrome extension with over 10 million installs were discovered. The finding highlights how widely trusted browser add-ons can quietly carry the means to execute unauthorized code on millions of devices.
What Island Found in Adblock for YouTube
According to browser security company Island, the extension contained dormant JavaScript injection paths, meaning the code needed to deliver and execute JavaScript was already in place but not currently triggered. The capability was present despite the extension's stated purpose of blocking ads on YouTube.
Since the check only verifies whether the YouTube string appears anywhere in the full URL and does not validate the hostname, frame origin, or embedded player context, it can bypass the gatekeeper by putting youtube.com anywhere in the URL.
If activated, JavaScript injection could allow an extension to manipulate page content, interact with the sites a user visits, and run code in the context of the browser, all without the user's knowledge.
In the proof of concept, researchers saw the extension open a Salesforce URL containing youtube.com in the query string in the user’s authenticated browser session, which passes checks, reads account data visible to the user, and sends it back to the mock server.
Related extensions that have been taken down include:
- Adblock for Chrome
- Adblock for You
- AdBlock Suite
Implications for Chrome Extension Security
The discovery underscores the persistent risk posed by Chrome extensions that request broad permissions and reach large install bases. An extension with 10 million installs offers an enormous potential footprint, should dormant functionality be switched on.
“The entire chain requires one server-side configuration change,” the report said. “No extension update, no new Chrome Web Store review, and no visible change to the user.” Recommendations include:
- Audit host permissions against stated purpose.
- Watch for remote control paths.
- Monitor for ownership and permission changes.
- Treat the browser as a managed endpoint.
In February, a security researcher discovered a high-severity Chrome zero-day vulnerability that enabled remote code execution.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular