A recent analysis has revealed that the popular Google Chrome extension, Adblock for YouTube (ID: cmedhionkhpnakcndndgjdbohmhepckk), which boasts over 10 million installs, has the potential to execute arbitrary JavaScript code. This extension, which is designed to block ads on YouTube and other sites, has been flagged for its alarming capabilities.
Extension Capabilities and Risks
According to researchers from Island, the extension contains the necessary architecture to run arbitrary JavaScript on any website. This can be activated by a simple server-side configuration change, without requiring an update to the extension or a review from the Chrome Web Store. The researchers noted, “In practical terms, that could mean reading pages, stealing data, and acting as the user inside personal accounts, work apps, admin panels, and other sensitive browser sessions.” While there is currently no evidence that malicious payloads have been distributed using this capability, its mere existence poses significant risks.
History of the Extension
Adblock for YouTube has been available on the Chrome Web Store since 2014 and underwent a change in ownership four years later. The extension previously included an ad-injection software development kit (SDK) named Unistream SDK, which was removed in June 2024. However, since February 2025, it has maintained remote-controlled script injection paths, allowing for the potential creation of arbitrary <script> elements that could access sensitive user data.
Concerns Over Permissions and Functionality
The extension requests extensive permissions that enable it to inspect requests, alter pages, and hide elements. Despite its name, it operates on all websites visited by the user, activating only when the URL contains “youtube.com.” However, this check can be easily bypassed, raising further security concerns.
Related Extensions and Ongoing Monitoring
The presence of this capability is compounded by the history of related extensions that have been removed from the Chrome Web Store due to malware concerns. Island emphasized that the combination of a high-install extension with all-site access, a dormant remote-controlled injection path, and previous ad-injection infrastructure heightens the risk profile of Adblock for YouTube. The Hacker News has reached out to the developer for comment and will provide updates as they become available.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
