A widely used Google Chrome extension designed to block YouTube ads has come under scrutiny after security researchers discovered it contains the capability to execute arbitrary JavaScript code.
Although there is no evidence that the feature has been abused, experts say the underlying design creates a significant security risk if activated.
The extension, Adblock for YouTube (Chrome Web Store ID: cmedhionkhpnakcndndgjdbohmhepckk), has been installed by more than 10 million users and carries Google’s Featured badge. Security researchers at Island found that while the extension performs its advertised ad-blocking functions, it also includes a remote-controlled mechanism capable of injecting JavaScript into websites without requiring users to install an update.
According to the researchers, the extension contains a dormant feature that could be enabled through a simple server-side configuration change. If activated, it could create script elements on web pages, potentially allowing attackers to read sensitive information, steal data, or perform actions on behalf of users within logged-in sessions, including personal accounts, business applications, and administrative portals.
The researchers stressed that they found no evidence that malicious code has been delivered to users through this mechanism. However, they argue that the existence of such functionality is concerning because it could be activated without triggering a Chrome Web Store review or notifying users.
Their concerns are amplified by the extension’s history. Originally released in 2014 as a basic YouTube ad blocker, the project changed ownership in 2018. Earlier versions included an ad-injection component known as Unistream SDK, which remained until it was removed in June 2024. Researchers also noted that remote-controlled script injection capabilities have existed in the extension since February 2025.
Another issue involves how the extension determines when it should become active. Although it claims to operate only on YouTube, researchers found that it runs on every website users visit. Instead of verifying that a page actually belongs to YouTube, it simply checks whether the text “youtube.com” appears anywhere in the URL.
This means the restriction can be bypassed by URLs such as:
www.facebook.com/page?ref=youtube.combank.example.com/search?q=youtube.cominternal.corp.com/redirect?from=youtube.com
Because of this weak validation, the extension could potentially activate on unrelated websites if a URL contains the string “youtube.com,” even when the site itself has nothing to do with YouTube.
Island researchers say the overall risk comes from several factors combined rather than a single suspicious feature. The extension has millions of users, broad permissions across all websites, a remote-controlled code injection mechanism, a history of ad-injection infrastructure, significant ownership and codebase changes, and connections to other browser extensions that were previously removed from the Chrome Web Store after being identified as malware.
Those related extensions include:
- Adblock for Chrome (ID:
onomjaelhagjjojbkcafidnepbfkpnee) - Adblock for You (ID:
ogcaehilgakehloljjmajoempaflmdci) - AdBlock Suite (ID:
gekoepiplklhniacchbbgbhilidiojmb)
In a separate finding, researchers from Palo Alto Networks’ Unit 42 uncovered 18 malicious browser extensions impersonating well-known consumer brands. After installation, these extensions automatically open a .shop domain that redirects users to a webpage claiming compatibility issues and encouraging them to install a gaming-focused browser. The campaign appears to be designed to generate affiliate marketing revenue while misleading users.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The findings highlight the importance of carefully reviewing browser extensions before installing them, even when they appear popular or carry official badges. Security experts recommend limiting extension permissions, removing unnecessary add-ons, and regularly auditing installed browser extensions to reduce the risk of compromise.
