Chrome ad blocker script injection discovered in 10M‑plus install extension

An independent security audit has revealed that the Chrome ad blocker script injection flaw resides in a widely‑used extension called Adblock for YouTube (ID: cmedhionkhpnakcndndgjdbohmhepckk). With ↑ 10M installations and a Featured badge on the Chrome Web Store, the add‑on promises a clean viewing experience, yet it can silently execute arbitrary JavaScript.

Chrome ad blocker script injection risk exposed

Researchers from Island detail how the dormant payload activates only when specific conditions are met, effectively turning the extension into a backdoor. Users assume safety because of the official branding, but the code path remains dormant until triggered. The exploit bypasses Chrome’s extension sandbox by exploiting an overlooked permission set, a weakness also noted in recent Reuters coverage of supply‑chain vulnerabilities. Security experts warn that any compromise could harvest browsing data or inject malicious ads. The situation echoes the broader scramble for remediation that followed the pandemic surge in remote work tools.

“We recommend immediate removal of the extension until the developer issues a fix,” a Google spokesperson said.

Users are urged to monitor the Chrome Web Store for updates and consider alternative blockers with transparent code audits.