The operators of the popular “Adblock for YouTube” Chrome extension could remotely execute JavaScript on websites visited by users through a server-side configuration change.
Island researchers who discovered this found no evidence that the architectural weakness has been abused, but they warn that the extension's design creates a significant security risk because it could be activated without a browser update or Chrome Web Store review.
Shady history
Adblock for YouTube (extension ID cmedhionkhpnakcndndgjdbohmhepckk) has more than 11 million installs, roughly 374,000 reviews, and a 4.4-star rating on the Chrome Web Store.
Island also examined the extension's history, noting it has been available since 2014 but underwent a major ownership change around 2018, followed by substantial code and infrastructure changes.
The report also links Adblock for YouTube to infrastructure previously associated with Adblock for Chrome and Adblock for You, two extensions later removed from the Chrome Web Store for malware. Earlier versions of Adblock for YouTube also included the Unistream SDK, an advertising framework previously associated with adware that was removed in June 2024.
Excessive permissions
The researchers found that the extension requests Chrome's permission, allowing it to access every website a user visits despite being marketed as a YouTube-only ad blocker.
Although the extension attempts to limit where it runs by checking whether a URL contains the string “youtube.com”, the validation does not verify the site's domain. Any URL containing that text, including as a query parameter, passes the check.
Island argues that a YouTube ad blocker should instead restrict itself to YouTube domains, embedded players, or related resources rather than requesting unrestricted access across the web.
Remote code execution
The primary concern is the extension's daily request to a remote configuration server at api.adblock-for-youtube.com, which supplies not only ad-blocking rules but also scripletsRules that determine which built-in JavaScript “scriptlets” the extension executes.
While scriptlets are commonly used by ad blockers, Island says this implementation allows the server to decide which scriptlets run and what arguments they receive. One available scriptlet, trusted-create-element, can generate HTML elements, including
Proof-of-concept
To validate the attack path, the researchers configured a local server to return a modified ruleset while leaving the extension itself unchanged.
In their demonstration, the extension injected a script while the user visited YouTube, then opened a Salesforce URL containing youtube.com in a query parameter. Because the URL still matched the extension's simplistic validation, the script also executed on Salesforce, where it accessed data available through the authenticated session and sent it back to the test server.
Leave a Reply