Researchers have uncovered potentially concerning functionality within Adblock for YouTube, a popular Google Chrome extension that has accumulated more than 10 million installs and carries a Featured badge on Chrome Web Store. According to a report by Island, the extension is capable of executing arbitrary JavaScript code through a dormant feature that can be activated by a single server side configuration change. The extension is promoted as a tool that blocks advertisements on YouTube and on websites that embed YouTube content, and researchers confirmed it performs that advertised function. However, they also found architectural components that could allow JavaScript code to be executed on any website without requiring users to install an updated version or undergo another Chrome Web Store review. Island researchers Oleg Zaytsev and Shachar Gritzman said that if activated, this capability could allow access to webpage content, sensitive user information, active browser sessions, administrative portals, work applications, and personal online accounts. Although no evidence indicates the feature has been used to distribute malicious code, researchers stressed that the existence of the capability itself creates potential privacy and security concerns.
Island noted that the extension has been available on Chrome Web Store since 2014, originally launching as a simple YouTube advertisement blocker before changing ownership four years later. Earlier versions of the extension included an advertising software development kit known as Unistream SDK, which remained part of the extension until it was removed in June 2024. Researchers said remote controlled script injection functionality has consistently existed in the extension since February 2025 through a custom script rule known as trusted create element. This feature enables the creation of script elements capable of executing arbitrary JavaScript. At the time of analysis, Island confirmed the capability was inactive because it was not enabled through the server response. Even so, researchers emphasized that activating it would only require a configuration change on the developer’s server without publishing a new extension version. The report also pointed to links between the extension and several related browser add ons that have already been removed from Chrome Web Store after being identified as malware. These include Adblock for Chrome, Adblock for You, and AdBlock Suite, adding further attention to the extension’s history and development.
The analysis also highlighted concerns regarding the permissions commonly granted to advertisement blocking extensions. Such tools generally require broad access to inspect browser requests, modify webpage content, and adapt their filtering methods as advertising technologies change. Researchers discovered that despite its name, Adblock for YouTube actually operates across every website visited in the browser. While the extension includes a check intended to activate its functions only on YouTube pages, the implementation simply searches for the text “youtube.com” anywhere within a website address instead of verifying the actual website domain or browser context. This means the restriction can be bypassed by including the text “youtube.com” within a URL parameter or search string on unrelated websites, including social media pages, banking portals, and internal corporate websites. According to Island, the primary concern is not one isolated piece of code but the combination of broad website access, remote controlled script injection capability, previous advertising infrastructure, significant ownership and codebase changes, and links to other extensions previously removed because of malicious activity. The Hacker News reported that it contacted the extension developer for comment but had not received a response at the time of publication.
The findings were disclosed alongside separate research from Palo Alto Networks Unit 42, which identified 18 browser extensions impersonating well known consumer brands as part of affiliate marketing campaigns. According to Unit 42, these extensions automatically opened a website using the .shop domain after installation. Users were then redirected to another webpage claiming compatibility issues and instructing them to install a gaming focused browser. Researchers said the campaign was designed to generate revenue through affiliate marketing rather than directly stealing information, but it demonstrates how browser extensions continue to be used for deceptive online activity. Together, the findings highlight the importance of carefully reviewing browser extensions, their permissions, ownership history, and ongoing behavior, even when they appear on official extension marketplaces.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
