A widely used Google Chrome extension, ‘Adblock for YouTube,’ has been found to possess the capability to execute arbitrary JavaScript code, raising significant security concerns. This extension, boasting over 10 million installations and a ‘Featured’ badge on the Chrome Web Store, is designed to block ads on YouTube and other sites embedding YouTube content.
While the extension effectively blocks ads as advertised, researchers have discovered that it includes mechanisms allowing for the injection of arbitrary JavaScript code into web pages. This functionality could be activated remotely by the extension’s developers without requiring an update or triggering a review process. Such a capability could potentially enable unauthorized access to sensitive user data across various websites.
Although there is no current evidence that this feature has been exploited maliciously, the mere presence of this dormant capability poses a significant risk. Notably, other ad-blocking extensions associated with the same developers have been removed from the Chrome Web Store due to malware concerns. These include ‘Adblock for Chrome,’ ‘Adblock for You,’ and ‘AdBlock Suite.’
‘Adblock for YouTube’ has been available since 2014, initially serving as a basic ad blocker for YouTube. In 2018, the extension changed ownership, and earlier versions included an ad-injection software development kit (SDK) known as Unistream SDK, which was removed in June 2024. However, since February 2025, the extension has incorporated remote-controlled script injection capabilities, allowing the creation of arbitrary ‘