Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability

A popular Google Chrome ad blocker extension for YouTube, named Adblock for YouTube (ID: cmedhionkhpnakcndndgjdbohmhepckk), was found to possess the capability to execute arbitrary JavaScript code on March 18, 2024. Security firm Island revealed this vulnerability, noting that the extension boasts over 10 million installations and holds a Featured badge on the Chrome Web Store. The dormant script injection capability means the extension could potentially be activated to run malicious code without user knowledge. Island's analysis indicated that the extension's code included a dormant script that could be remotely triggered. This discovery raises significant concerns about the security of browser extensions, especially those with a large user base and prominent placement on official marketplaces. The ability to inject arbitrary JavaScript allows for a wide range of malicious activities, including data theft, phishing, and the distribution of malware. The extension's primary function is to block ads on YouTube, a feature that appeals to a vast number of users seeking an uninterrupted viewing experience. However, the presence of such a potent, albeit dormant, vulnerability undermines the trust users place in these tools and the platforms that host them. The Chrome Web Store's Featured badge typically signifies a level of vetting and quality, making this finding particularly alarming.