Adblock for YouTube extension flagged for security risk

Island has disclosed a security risk in the Chrome extension Adblock for YouTube, which the Chrome Web Store lists as having more than 11 million installs.

The extension contains a dormant mechanism that could allow arbitrary JavaScript execution on websites visited by users if its server-side configuration were changed, according to Island. The company said it found no evidence that a malicious payload had been sent to users.

Researchers Oleg Zaytsev, Product Security Researcher, and Shachar Gritzman, Senior Security Researcher, said the extension requests permission to run on all websites despite being marketed as a tool for blocking adverts on YouTube. Their analysis found that this access could extend to webmail, banking sites, software-as-a-service applications, admin consoles, and internal corporate tools.

The issue centres on how the extension decides where to operate and how it receives rules from a remote server. According to the analysis, it checks whether a visited URL contains the text "youtube.com" before injecting code, but does not verify the actual hostname or frame origin.

As a result, URLs on unrelated sites can pass the check if the string appears in a query parameter or elsewhere in the address. Examples included pages on Facebook, banking sites, and internal corporate systems where "youtube.com" appeared in the URL.

The extension also fetches configuration data from a remote server every 24 hours, Island said. The response includes ad-blocking rules and a field called scripletsRules, which the researchers said can instruct the extension to run scriptlets inside web pages.

In its analysis, Island described one scriptlet, trusted-create-element, as especially sensitive because it could create a script element on a page with server-supplied content. If activated by a server-side change, the company said, that route could allow code to run in the context of a user's browser session without requiring an extension update or a new review in the Chrome Web Store.

The researchers tested the execution path with a proof of concept using a local mock server. In that setup, they said, the extension first received a selected scriptlet while on YouTube, then opened a Salesforce URL containing the text "youtube.com" in the query string. The same scriptlet then ran inside the authenticated Salesforce session and sent account data back to the mock server.

Island said the extension itself was not modified during the test. The chain relied on the existing package, current permissions, the URL check, and the extension's scriptlet library.

Extension history

The analysis also examined the extension's development history. Adblock for YouTube has been available in the Chrome Web Store since 2014, but ownership changed around 2018 and the codebase was substantially rewritten, according to Island.

Earlier versions did not show the current remote-controlled script injection architecture, the company said. After the ownership change, the product's user base grew from hundreds of thousands to more than 10 million, while its backend infrastructure and public listing changed over time.

The report also linked Adblock for YouTube to other ad-blocking extensions later removed from the Chrome Web Store for malware. Those included Adblock for Chrome and Adblock for You, which Island said were promoted through related infrastructure and shared several technical patterns, including all-site access, remote configuration, and code injection into the main page context.

Adblock for Chrome was highlighted as a particularly relevant case because historical versions included a bridge that allowed page-injected code to call privileged Chrome extension APIs. Island noted that Google later removed that extension from the store for malware, a move also documented by GitLab's Threat Intelligence team.

The security company also said earlier builds of Adblock for YouTube included the Unistream SDK, which it described as an ad-injection software development kit associated with adware activity and previously flagged by Bitdefender. That SDK was removed in June 2024, but earlier versions also contained remote-controlled script injection paths, according to the report.

Enterprise risk

The findings add to concerns about browser extensions in corporate environments, where workers often install tools that can access pages containing email, source code, customer records, and administrative systems. Because extensions operate inside browser sessions, they can sit within the same authenticated environment used for single sign-on and internal applications.

Island argued that the main risk in this case is not the extension's current behaviour as an ad blocker, but the degree of control retained by the operator through remote configuration. Static reviews may show an extension performing a legitimate task, while a later server-side instruction could alter what it does inside the browser.

Organisations should compare requested host permissions with an extension's stated purpose, watch for software that fetches external configuration to control page injection, and monitor ownership and permission changes over time, Island said. The company also argued that browsers should be treated as managed endpoints because they are now where much day-to-day work is done.

"We did not observe active exploitation. We observed a risk profile that deserves serious attention," Zaytsev and Gritzman said.