RSS

Popular Adblock for YouTube extension contains remote code execution

fastest9631 pts0 comments

BadBlocker: 11 Million Users, One Server Call Away from Compromise

-->

with paint0_linear_5019_99065 and paint1_radial_5019_99065 here -->

Solutions

Partners

Learn

About

Download

Schedule a demo

Log in

Schedule a demo

Back to blog

min read

June 25, 2026<br>Updated:

BadBlocker: 11 Million Users, One Server Call Away from Compromise<br>Security Research

Inside “Adblock for YouTube,” a trusted Chrome extension whose permissions and architecture could, with one server-side change, be weaponized to read your pages, steal your data, and act as you inside your browser.

Oleg Zaytsev, Product Security Researcher

Shachar Gritzman, Senior Security Researcher

TL;DR<br>Adblock for YouTube (cmedhionkhpnakcndndgjdbohmhepckk) is a Chrome Web Store extension with over 11 million installs and a 4.4-star rating. It blocks ads on YouTube and it works well.<br>It also contains the architectural ingredients for arbitrary JavaScript execution on any website , activated by a single server-side configuration change, without an extension update, without a store review, and without any visible sign that something has changed. In practical terms, that could mean reading pages, stealing data, and acting as the user inside personal accounts, work apps, admin panels, and other sensitive browser sessions.<br>We have not observed a malicious payload being delivered to users. What we found is a capability , one that exists today, in production, in 11 million browsers. Combine that with the suspicious profile of a developer whose extension history includes Chrome Web Store removals for malware, and the risk becomes hard to dismiss.<br>The extension that 11 million people trust<br>Search "youtube adblock" in the Chrome Web Store and the first result is Adblock for YouTube . People install it for the obvious reason, they don't want to sit through ads on YouTube, whether they're watching a tutorial, a product demo, or a funny cat compilation video on their lunch break. It has over 11 million installs, 374,000 reviews, and a 4.4-star rating. Among the hundreds of thousands of extensions in the store, it ranks #31 overall. It does what it says, blocks ads on YouTube. Millions of people run it, including employees inside enterprise environments, and none of them have ever had a reason to think twice about it.

Figure 1: Screenshot of “Adblock for YouTube™” on the Chrome Web Store, showing its 11M+ installsThe extension has been on the Chrome Web Store since 2014, accumulating years of code changes, ownership changes, and quiet shifts in what it could do inside the browser. More on that later.<br>A trusted category with dangerous permissions<br>Ad blockers get unusual trust because they do unusual work. To block ads, they often need to inspect requests, change pages, hide elements, and react quickly when ad systems change.<br>That makes broad permissions easier to justify in this category than almost anywhere else. Users expect ad blockers to be powerful. Store reviewers expect them to ask for sensitive access. The category gets a level of permission tolerance most extensions would never receive.<br>That permission tolerance is the risk. Mature ad blockers have spent years building safer ways to use broad access, so they can adapt to changing ad systems without giving the backend open-ended control over what happens inside the page. When that boundary disappears, the same trust that makes ad blockers useful becomes a direct path into the user’s browser.

Figure 2: Ad blockers are often granted powerful browser permissions more easily than other extensionsA YouTube-only extension that runs everywhere<br>Adblock for YouTube is not a general-purpose ad blocker. Its promise is narrower: block ads on YouTube.<br>But open the manifest, and the first thing you see is this:<br>"host_permissions": [""] means the extension can run on every website the browser visits: webmail, banking, SaaS apps, admin consoles, internal tools, everything.<br>But this is Adblock for YouTube . Why would a YouTube ad blocker need access to every page?<br>You could argue that YouTube ads are dynamic, or that YouTube players are embedded on third-party websites. That is fair. A YouTube ad blocker may need some flexibility beyond youtube.com. But that flexibility should still be tied to YouTube: YouTube origins, YouTube frames, player URLs, or request patterns related to YouTube playback. It should not require a blank check across the web.h<br>The code includes a check that appears intended to limit where injection runs. Before injection, the extension checks whether the current URL contains “youtube.com”:<br>var isAdBlockWorksOnPage = function(url) {  return /youtube\.com/.test(url);};On paper, this looks like a gatekeeper: the extension asks for access to every site, but claims to run only when YouTube is involved. In practice, the check does not validate the hostname, frame origin, or embedded player context. It only checks whether the string youtube.com appears anywhere in the full URL.<br>These all...

youtube extension adblock store million inside

Related Articles

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

How to Earn a Billion Dollars

kingstoned15 ptsmonth become startup growth years billionaire
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.