Chrome ad blocker with 10 million installs hides dormant code-injection capability
Researchers at Island found that a popular Chrome extension, "Adblock for YouTube," with more than 10 million installs and a Featured badge, contains the machinery to run arbitrary JavaScript on any website the user visits. The extension works as advertised, but it can fetch a rule from its server that creates script elements with attacker-supplied content, giving access to page data, sessions, and forms. The capability is dormant, not absent: switching it on takes a single server-side change, with no extension update and no store review. The add-on changed ownership years ago, requests access to all sites, and is linked to other extensions previously pulled for malware.
- Check
- Inventory browser extensions across the organization, flag high-permission ones like ad blockers that request access to all sites, and identify extensions that fetch configuration or rules from external servers.
- Affected
- Anyone using the 'Adblock for YouTube' Chrome extension or similar high-install add-ons with all-site access and server-controlled logic; a single server change could turn them into code-injection tools.
- Fix
- Remove or restrict extensions whose permissions exceed their purpose, prefer those with self-contained rules over server-controlled ones, enforce an extension allowlist, and monitor for ownership and permission changes.