Adblock for YouTube: 11 Million Installations and a Remotely Activatable Code Injection
Adblock for YouTube: 11 Million Installations and a Remotely Activatable Code Injection
An ad-blocking extension installed on over 11 million Chrome browsers contains all the ingredients to execute arbitrary JavaScript on any visited site. A single server-side change would be enough to activate them, without requiring any extension update or store review. This is the conclusion of an analysis of Adblock for YouTube published by Island Security, a company specializing in enterprise browser security.
The extension is particularly widespread and appreciated: 374,000 reviews, a rating of 4.4 stars, the 'Featured' badge, and the 31st position for the number of installations in the entire Chrome Web Store. Researchers Oleg Zaytsev and Shachar Gritzman did not observe the distribution of any malicious payloads to users: the scriptlet that would allow injection, called trusted-create-element, was dormant in the server response at the time of analysis.
A Permission That Covers the Entire Web
The first signal is in the manifest: the extension declares that it blocks ads only on YouTube, but requests permission for <all_urls>, meaning access to every page the user visits. The check that should confine execution to YouTube pages reduces to a regex that verifies the mere presence of the string youtube.com anywhere in the URL, without validating the hostname, the origin of the frame, or the context of the player. An address like bank.example.com/search?q=youtube.com passes the check without issues.
The activation mechanism is just as straightforward. Every 24 hours, the extension downloads its configuration from a remote endpoint, and the response contains a field called scripletsRules, which decides which scriptlet to execute and with what arguments. On a local test server, the researchers reconstructed the entire chain in a proof of concept with indicators of compromise: a change in the server response leads to the injection of the scriptlet first on YouTube, then on Salesforce via a URL that contains the string youtube.com, leading to the exfiltration of account data to the controlled server.
A Trail That Goes Back a While
The extension has been available on the Chrome Web Store since 2014; around 2018, it changed ownership and was substantially rewritten, growing from a few hundred thousand to over ten million users. Previous versions included the Unistream SDK, an ad injection kit associated with adware activities and reported by Bitdefender, which was removed in June 2024. Remote-controlled script injection paths have been present since at least February 2025.
There is also a familial link: three extensions related to the same infrastructure have already been removed by Google for malware, namely Adblock for Chrome, Adblock for You, and AdBlock Suite. In the same weeks, Palo Alto Networks Unit 42 identified 18 extensions impersonating well-known brands to monetize through affiliation, installing a .shop domain that redirects to a gaming-oriented browser.
The point that Island Security highlights is the architecture that would allow an attack to be executed at any time. The store review was bypassed on a code already prepared to change behavior remotely, and for those who have installed the extension, there would be no visible signs of activation. In the meantime, those who have Adblock for YouTube among their extensions may consider removing it: the permission to access all sites alone already warrants adopting an extremely cautious approach.