Chrome Ad Blocker with 10M Users Has Dormant Backdoor

A Chrome extension with over 10 million installs and a Featured badge on the Chrome Web Store contains dormant code capable of executing arbitrary JavaScript on any website a user visits. Security researchers at Island disclosed the findings on June 25, warning that activating the capability requires nothing more than a single change to the extension's servers—no update, no Google review.

TL;DR

• What happened: "Adblock for YouTube" extension contains hidden script injection infrastructure
• Who's affected: 10+ million Chrome users with the extension installed
• Severity: Dormant but weaponizable with one server-side config change
• Action required: Consider removing the extension until the capability is addressed

The Extension

Adblock for YouTube (Chrome Web Store ID: cmedhionkhpnakcndndgjdbohmhepckk) launched in 2014 and changed ownership in 2018. Despite the Featured badge—Google's signal that an extension meets Chrome's quality standards—Island researchers Oleg Zaytsev and Shachar Gritzman found it harbors what they describe as "the architectural ingredients for arbitrary JavaScript execution."

The extension works by fetching a configuration file from its own servers once daily. That configuration controls which JavaScript snippets run on pages the user visits. Among the extension's scriptlet library is a function called trusted-create-element that can inject HTML elements into any page.

The problem: if the server sends script as the element type along with JavaScript content, that code executes in the page's context with full access to whatever the user can see—passwords, session tokens, form data.

A Trivial Bypass

Making things worse, the validation meant to restrict the extension to YouTube is trivially bypassable. The check merely searches for the string "youtube.com" anywhere in a URL. An attacker could exploit this by creating domains like fake-youtube.com.attacker.net or simply embedding the string in URL parameters.

Island's analysis confirmed the injection mechanisms have been present continuously since February 2025. The capability appears dormant—there's no evidence the operators are currently stealing data or deploying malware. But the architecture means compromise requires zero user action and zero Google approval once the server-side switch is flipped.

Related Removals

The discovery becomes more concerning in context. Three other extensions sharing infrastructure with Adblock for YouTube have already been removed from the Chrome Web Store for malware:

• Adblock for Chrome (onomjaelhagjjojbkcafidnepbfkpnee)
• Adblock for You (ogcaehilhagjjojmajoempaflmdci)
• AdBlock Suite (gekoepiplklhniacchbbgbhilidiojmb)

Palo Alto Networks Unit 42 has independently identified 18 related brand-impersonation extensions. The pattern suggests an operation systematically planting backdoored ad blockers on the Chrome Web Store, possibly waiting to monetize access at scale.

This follows a broader trend of malicious browser extensions abusing the trust users place in the Chrome Web Store's vetting process.

The Unistream Connection

The extension previously contained the Unistream SDK, an ad-injection framework that was removed in June 2024. That removal may have been a calculated move to clean up the extension's reputation while preserving more covert monetization options through the script injection capability.

Extensions with this type of dormant malicious code represent a particularly difficult threat model. They pass automated scans because the malicious behavior hasn't been activated. Manual review would need to understand not just what the code does, but what it could do if server-side configuration changed.

What Users Should Do

Users running Adblock for YouTube should consider removing it until Island's findings are addressed. Chrome provides native ad-blocking capabilities in some contexts, and alternatives from more established security-conscious publishers exist.

To check if you have the extension installed:

1. Navigate to chrome://extensions/
2. Search for "Adblock for YouTube"
3. Check the extension ID matches cmedhionkhpnakcndndgjdbohmhepckk

For broader browser security guidance, our online safety tips guide covers extension hygiene and other defensive measures.

Why This Matters

Browser extensions operate with extraordinary privileges. They can read and modify page content, intercept network requests, and access data across all sites a user visits. The Chrome Web Store's Featured badge creates false confidence that extensions bearing it have been thoroughly vetted.

This incident demonstrates that even long-standing, popular extensions with official endorsements can contain latent threats. The 10+ million install count means compromising this single extension could enable password theft, session hijacking, or cryptocurrency wallet draining at massive scale—all without distributing new malware.

The discovery also highlights a gap in browser security architecture. Extensions fetch configurations and resources from remote servers continuously, but those server-side changes face no review. An extension can pass every Google policy check on submission and still become malicious days, months, or years later through server-side updates that trigger dormant code.

Until browser vendors implement stronger controls over extension-to-server communication, users bear the burden of vetting not just what extensions do today, but what they might do tomorrow.