Chrome Ad Blocker With 10M Installs Has Hidden Script Injection Flaw

A widely used Google Chrome ad-blocking extension, Adblock for YouTube (ID: cmedhionkhpnakcndndgjdbohmhepckk), carries a dormant capability to inject arbitrary JavaScript code into any website a user visits, according to security researchers at Island. The extension boasts more than 10 million installs and a Featured badge on the Chrome Web Store, yet it contains architectural components—specifically a custom scriptlet rule named "trusted-create-element"—that could allow its operators to read page contents, steal session data, and impersonate users inside sensitive accounts with nothing more than a server-side configuration change. No extension update, store review, or visible indicator would accompany such an activation. Researchers Oleg Zaytsev and Shachar Gritzman noted that the capability is "dormant, not absent," meaning the infrastructure for a stealthy supply-chain attack is fully in place even though no malicious payload has been observed in the wild.

Technically, the extension leverages remote-controlled script injection paths that have been baked in since February 2025, enabling the creation of arbitrary <script> elements across every site the browser visits—despite the extension being marketed solely as a YouTube ad filter. Earlier versions of the add-on shipped with the Unistream SDK, an ad-injection toolkit removed in June 2024 after raising industry concern. The pattern matches that of three related extensions already pulled from the Chrome Web Store for malware distribution: Adblock for Chrome (onomjaelhagjjojbkcafidnepbfkpnee), Adblock for You (ogcaehilgakehloljjmajoempaflmdci), and AdBlock Suite (gekoepiplklhniacchbbgbhilidiojmb), all linked to the same ownership chain that took over the YouTube extension in 2018.

The risk profile is amplified by the extensive permissions ad blockers typically request, granting broad visibility into browsing behavior across work apps, admin panels, and personal accounts. Users who have installed the extension should verify whether they remain exposed using a privacy checkup and audit saved credentials with a password checker, since dormant access to arbitrary scripts means stored login data could be exfiltrated the moment the capability is activated. Monitoring outbound connections for signs of command-and-control traffic through an SSL/TLS checker can also help detect abnormal behavior originating from browser extensions.

For organizations, the finding underscores the fragility of trusting browser extensions—even those with Featured badges and millions of users—as part of a secure browsing posture. Security teams should inventory installed extensions across managed endpoints, restrict extension installation to an allowlisted set, and review the principle of least privilege for any add-on requesting tabs, webRequest, or scripting permissions. Until Google re-reviews the extension or provides further transparency, the 10 million users of Adblock for YouTube are effectively one configuration flip away from a full browser-level compromise.