Chrome Ad Blocker With 10M+ Installs Carries Dormant Script Injection Capability

What Happened

Security researchers at Island have identified that Adblock for YouTube — a Chrome extension with over 10 million installs (extension ID: cmedhionkhpnakcndndgjdbohmhepckk) — contains the ability to execute arbitrary JavaScript code. The capability is described as "dormant," meaning it is embedded in the extension but not visibly active, making it easy to miss during routine browser audits. The finding was reported by The Hacker News today.

The extension presents itself as a straightforward YouTube ad blocker, which explains its massive install base. Users typically grant ad blockers broad permissions — access to all pages, the ability to read and modify page content — making them an ideal vector for covert script injection.

Why It Matters

An extension capable of executing arbitrary JavaScript has effectively the same privilege level as the page itself. In practice, that means:

• Session token theft — the extension can read cookies and localStorage values on any site you visit, including banking and SaaS apps.
• Credential harvesting — form field values, including passwords typed on any HTTPS page, are accessible.
• Lateral movement — if a developer or sysadmin has this extension installed, it could be used to steal API keys, SSH keys stored in web UIs, or cloud console credentials.
• Dormant = patient — the fact that the capability is not currently active is the most concerning part. It means the author (or whoever gains control of the extension via an update or account compromise) can activate it at any point without the user installing anything new. Chrome extensions auto-update silently.

With 10 million installs, the exposure here is substantial. Even if only a small fraction of those users are in enterprise environments, the likelihood that this extension exists on at least one machine in your org — including a privileged workstation — is high.

What to Do

Right now:

1. Search your fleet. If you manage endpoint or browser policy, grep for extension ID cmedhionkhpnakcndndgjdbohmhepckk across your managed Chrome profiles. Google Workspace admins can audit this from the Admin Console under Devices → Chrome → Apps & extensions.
2. Remove it immediately. There is no safe version of an extension with a dormant arbitrary code execution capability. Uninstall it from all devices where it is found.
3. Block it via policy. Use Chrome's ExtensionInstallBlocklist policy to prevent reinstallation. Add the extension ID to your blocklist and push the policy.
4. Audit adjacent extensions. This incident is a prompt to review all ad blockers and content-filtering extensions across your org. Extensions with broad host permissions (<all_urls>) deserve particular scrutiny.
5. Rotate credentials if exposed. If any affected users have sensitive sessions — cloud consoles, CI/CD systems, password managers in the browser — treat those credentials as potentially compromised and rotate them.

For personal machines, open chrome://extensions, locate Adblock for YouTube, and remove it. Prefer extensions with a track record of open-source code and recent independent audits.