Mastodon Mastodon Mastodon Mastodon

How Adblock for YouTube Put 10 Million Chrome Users at Risk

Photo of author

CyberSecureFox Editorial Team

Published:

Researchers at Island reported that the browser extension Adblock for YouTube (identifier cmedhionkhpnakcndndgjdbohmhepckk) contains a dormant mechanism that allows arbitrary JavaScript code to be executed on any sites visited by the user. The extension, available in the Chrome Web Store with a “Featured” label and more than 10 million installs, was not delivering malicious commands at the time of analysis — however, all of the infrastructure needed for an attack is already built into the code and can be activated with a single change to the server configuration. Users are advised to immediately remove the extension and switch to vetted alternatives.

Architecture of the hidden threat

According to Island’s researchers, the extension does perform its stated function — blocking ads on YouTube. However, in parallel it implements a remote script-injection mechanism that is architecturally separated from the core ad-blocking functionality.

The key element of this mechanism is a custom rule called trusted-create-element, which has reportedly been present in the extension since February 2025. This rule makes it possible to create arbitrary <script> elements and gain access to sensitive data on the page. Crucially, activating this mechanism requires only a configuration change on the controlling server — no re-review in the Chrome Web Store and no extension update are needed.

This means that Google’s standard review process for extension updates is completely bypassed. The code has already passed review and is installed on users’ devices — all that remains is to “flip the switch” on the server.

Excessive permissions and URL validation flaws

The extension’s permission model presents an additional problem. Despite the name, which suggests it only operates on YouTube, the extension requests and receives permission to run on all sites visited by the user.

According to the researchers, the extension’s activation logic triggers whenever the string youtube.com is found anywhere in the URL — without validating the hostname or the frame’s origin. This opens the door to attacks using addresses such as:

  • bank.example.com/search?q=youtube.com
  • internal.corp.com/redirect?from=youtube.com

In this way, an attacker can provoke execution of the extension’s code on an arbitrary site simply by including the string “youtube.com” in URL parameters — in a search query, redirect parameter, or path.

Assessment of potential impact

By Island’s assessment, if activated, the mechanism could potentially allow:

  • Reading the contents of any open pages, including banking interfaces and corporate dashboards
  • Stealing form data, authorization tokens, and cookies
  • Performing actions on behalf of the user in personal accounts, business applications, and administrative panels

The scale of potential damage is defined by an install base of more than 10 million users. At the same time, the “Featured” badge in the Chrome Web Store creates a false sense of security for users — this label is perceived as a mark of quality and vetting by Google.

Important caveat: the researchers emphasize that at the time of analysis they did not find evidence of the mechanism being actively used to deliver malicious payloads. The server was not issuing commands to activate the trusted-create-element rule. The threat remains potential, not confirmed as being exploited in the wild.

Historical background

According to the researchers, the Adblock for YouTube extension appeared in the Chrome Web Store in 2014. Early versions reportedly contained the Unistream advertising SDK, which injected ads into website pages — an ironic choice for a tool intended to block advertising. This component was removed in June 2024.

It should be noted that a number of historical details — including the change of ownership of the extension and its relationship to other ad blockers removed from the Chrome Web Store — are based on a single Island study and have not been confirmed by independent sources. Google had not issued an official statement on this incident at the time of publication.

Recommendations

Given the nature of the mechanism that was discovered, the following steps are recommended:

  1. Immediately remove the extension Adblock for YouTube (identifier cmedhionkhpnakcndndgjdbohmhepckk) via Chrome’s extension management menu (chrome://extensions).
  2. Audit your installed extensions — review the permissions they request. An extension that claims to work with a single site but requests access to all sites is a red flag.
  3. Switch to vetted alternatives with open source code — uBlock Origin remains the most transparent solution for ad blocking.
  4. For corporate environments: use Chrome Group Policies (ExtensionInstallBlocklist) to forcibly remove the extension from managed devices and consider implementing allowlists of approved extensions.
  5. Change passwords for critical services if the extension was installed for an extended period — as a precaution, despite the lack of confirmed exploitation.

This case highlights a fundamental weakness in the browser extension security model: code that passed review at publication can radically change its behavior through server-side configuration without being rechecked. Until Google implements mechanisms to control dynamically loaded rules and server configurations for extensions, the only reliable protection is to minimize the number of installed extensions and favor open-source solutions with active community auditing.


CyberSecureFox Editorial Team

The CyberSecureFox Editorial Team covers cybersecurity news, vulnerabilities, malware campaigns, ransomware activity, AI security, cloud security, and vendor security advisories. Articles are prepared using official advisories, CVE/NVD data, CISA alerts, vendor publications, and public research reports. Content is reviewed before publication and updated when new information becomes available.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.