Summary: A widely distributed YouTube ad blocker extension with over 10 million downloads can be abused through server-side configuration to execute arbitrary malicious code without evidence of active abuse to date.
The Chrome extension “Adblock for YouTube” possesses the architectural foundation according to security researchers to arbitrarily execute JavaScript code on any websites without requiring an update or renewed store review.
Security researchers Oleg Zaytsev and Shachar Gritzman from Iceland have analyzed the extension “Adblock for YouTube”. It has more than ten million installations and is listed in the official Google Chrome Web Store. The investigation reveals that the extension already contains the technical infrastructure for executing arbitrary JavaScript code. This functionality could be activated through a simple server-side configuration change – without requiring an extension update, renewed store review, or visible changes to the user. As of now, there is no evidence that malicious code has actually been distributed to users.
The vulnerability arises from insufficient security controls: Although the extension is intended only for YouTube based on its name, it requests extensive permissions for all visited websites. The implemented URL check merely searches for the string “youtube.com” at any point in the address. This makes it possible to bypass the protection mechanism through manipulated URLs such as “bank.example.com/search?q=youtube.com”. The injection path has existed since February 2025 via a rule named “trusted-create-element”.
If the functionality were activated, attackers could extract sensitive data, steal passwords, or perform actions in user accounts. The extension has been in the store since 2014 and changed ownership in 2018. Earlier versions contained an ad injection SDK that was removed in June 2024. Several related extensions such as “Adblock for Chrome”, “Adblock for You” and “AdBlock Suite” have already been removed from the store.
In parallel, Palo Alto Networks Unit 42 uncovered 18 additional browser extensions that imitate established consumer brands to generate revenue through affiliate marketing. These add-ons automatically open a domain after installation that simulates compatibility problems and prompts users to install a special gaming browser.
Source: www.it-daily.net · Published June 27, 2026
Lumi AI News — AI-assisted curation according to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.