Researchers found that the Adblock for YouTube Chrome extension, with over 10 million installs, can be configured to execute arbitrary JavaScript code on any website through a server-side change. While no malicious payload has been observed, its remote script injection capability, prior ad-injection history, and ties to removed extensions raise serious privacy and security concerns. #AdblockforYouTube #UnistreamSDK #ChromeWebStore
Keypoints
- Adblock for YouTube can run arbitrary JavaScript through a server-side configuration change.
- The extension has more than 10 million installs and a Featured badge on the Chrome Web Store.
- Researchers found dormant remote-controlled script injection paths and a custom scriptlet rule called trusted-create-element.
- The YouTube-only check can be bypassed by placing youtube.com anywhere in a URL.
- Related extensions such as Adblock for Chrome, Adblock for You, and AdBlock Suite were removed from the store.
Read More: https://thehackernews.com/2026/06/chrome-ad-blocker-with-10m-installs.html