One of the most popular ad-blocking extensions on Chrome has a hidden capability that could let its owners read everything your staff do in the browser: emails, Salesforce records, banking sessions, internal admin tools. The extension is Adblock for YouTube, and it has more than 11 million installs. Chrome extension security researchers at Island published their findings on 25 June 2026. The capability is currently dormant. Activating it requires a single change to the extension’s own servers, with no update to the extension and no approval from Google.
Table of Contents
What “Dormant Script Injection” Actually Means
The extension fetches a configuration file from its own servers once a day. That file tells it which pieces of JavaScript to run on the pages you visit. Buried in the code is a rule called trusted-create-element. So this rule can inject an arbitrary script tag into any page. Once that script executes, it runs with the full privileges of the page: it can read text, intercept form submissions, steal session tokens, and send data to a remote server.
At the moment, that rule is not switched on in the live configuration. Yet the wiring is all there. The researchers at Island built a working demonstration. They activated the rule against a Salesforce session and pulled out account data. Island’s point was not that this has already happened to real users. Rather, it was that the extension’s owner can trigger it whenever they choose, for any of the 11 million people with it installed.
That is the Chrome extension security problem in a single sentence: trusted software, installed years ago, can become hostile at any moment, with nothing visible to the user or to Google.
Why All-Site Access Is the Crux of It
Adblock for YouTube describes itself as a YouTube ad blocker. Yet its underlying permissions tell a different story. The extension asks for access to every site the browser visits. Its code does contain a check: it looks for the text “youtube.com” somewhere in the URL. But that check is easily defeated. Any internal system with “youtube.com” in a redirect parameter would pass it. More importantly, whoever controls the extension’s server can turn that check off with no update required.
Google’s “Featured” badge on the Chrome Web Store listing does not help here. It confirms the extension has a large install base and follows Chrome’s publishing guidelines. But it does not mean the code was reviewed for Chrome extension security, and it does not prevent server-side changes after listing.
A History Worth Knowing Before You Decide
The extension launched in 2014. Then around 2018 it changed hands, was substantially rewritten, and grew from a niche tool to one of the most-installed extensions on the platform. Early versions shipped with Unistream SDK, an adware framework flagged by Bitdefender. That SDK was removed in June 2024.
Three other extensions sharing infrastructure with Adblock for YouTube have since been removed from the Chrome Web Store for malware. Adblock for Chrome was found to bridge injected code into Chrome’s privileged internal APIs. Adblock for You and AdBlock Suite were also removed. Yet the developer has not responded to press enquiries about Island’s research.
Six Steps to Manage Chrome Extension Security
You do not need specialist tooling to address this. Here is a practical starting point:
- Find out what is installed. Search managed devices for extension ID
cmedhionkhpnakcndndgjdbohmhepckk. Chrome Enterprise reporting, your MDM, or a browser management tool can surface this without touching individual machines. - Remove Adblock for YouTube from managed browsers. Until the developer responds and the situation is resolved, there is no reason to carry the risk. Alternatives exist that have not been implicated in adware or malware incidents.
- Build an extension allow-list. Chrome for Enterprise lets you specify, through Group Policy or your MDM, exactly which extensions staff can install. Anything not on the approved list is blocked. This is the most effective single control against supply-chain changes in extensions.
- Treat extensions like third-party software. The NCSC’s guidance on browser security says organisations should treat extensions like any other installed application. The same risk assessment applies: permissions matter, and all-site access is not a low-risk install.
- Review extensions that have changed ownership. Extension acquisition is a known technique for reaching an existing user base. When an extension you approved last year is now owned by a different entity, that warrants a fresh look at what it is doing.
- Consider a browser extension review as part of your next security assessment. Most organisations test perimeter controls and cloud configurations. Browser extensions get far less scrutiny, yet they run inside the security perimeter with access to authenticated sessions.
The Broader Point
This is not an isolated case. Extensions with all-site permissions, remote configuration, and a history of ownership changes are a category of risk, not a one-off. The Chrome Web Store reviews extensions at submission. It does not monitor whether the configuration servers those extensions talk to have changed their behaviour since. That Chrome extension security gap sits with IT and security teams to manage.
For most UK businesses, the immediate task is simple: check whether this extension is installed, remove it, and put controls in place so you know what is running in your browsers from here on.
Subscribe to our newsletter for a weekly round up of what's happening in the cyber security world
