Ethical Hacking News
A popular Google Chrome ad block extension for YouTube, Adblock for YouTube, with over 10 million installations, has been found to possess dormant script injection capability, raising significant privacy and security concerns among researchers and security experts.
A popular Google Chrome ad block extension for YouTube, Adblock for YouTube, has been found to have dormant security risks. The extension's script injection capability can be activated by a single server-side configuration change, allowing hackers to access sensitive data and impersonate users. There is currently no evidence of a malicious payload being distributed to users, but the presence of this capability raises significant privacy and security concerns. The extension has been on the Chrome Web Store since 2014, with ties to other ad-blocking extensions that have been removed for malware. The extension's remote-controlled script injection path can be activated by making a single server-side configuration change, granting access to sensitive data. Users are advised to exercise caution when installing third-party browser extensions due to the potential risks posed by extensions like Adblock for YouTube.
A recent discovery has shed light on a popular Google Chrome ad block extension for YouTube, dubbed Adblock for YouTube, which has garnered over 10 million installations and carries a Featured badge on the Chrome Web Store. This revelation highlights the potential security risks associated with the extension's dormant script injection capability, leaving users vulnerable to malicious activities.
The researchers who uncovered this vulnerability, Oleg Zaytsev and Shachar Gritzman of Island, reported that Adblock for YouTube possesses the architectural ingredients necessary for arbitrary JavaScript execution on any website. This feature can be activated by a single server-side configuration change, allowing the extension to run without an update or review, and without any visible signs indicating that something has changed.
In practical terms, this means that the extension could potentially allow hackers to access sensitive data, read pages, steal information, and even impersonate users within personal accounts, work apps, admin panels, and other secure browser sessions. While there is currently no evidence of a malicious payload being distributed to users in this manner, the mere presence of this capability coupled with ties to other ad-blocking extensions that have been removed from the storefront for malware raises significant privacy and security concerns.
The researchers also found that Adblock for YouTube has been on the Chrome Web Store since 2014, starting off as a basic YouTube ad blocker. However, early iterations of the extension were discovered to contain an ad-injection software development kit named Unistream SDK, which was later removed in June 2024.
Furthermore, it was determined that Adblock for YouTube has a dormant remote-controlled script injection path since February 2025. This capability can be activated by making a single server-side configuration change, allowing the extension to run arbitrary "
