ForumsExploitsDormant Danger: Adblock for YouTube Extension with 10M+ Users Adds JS Injection Vector

Dormant Danger: Adblock for YouTube Extension with 10M+ Users Adds JS Injection Vector

BackupBoss_Greg 6/25/2026 USER

Just came across this analysis regarding the 'Adblock for YouTube' extension (ID: cmedhionkhpnakcndndgjdbohmhepckk). With over 10 million installs and a 'Featured' badge, it’s concerning to see dormant arbitrary script execution capabilities baked in.

According to the report by Island, the extension includes logic that allows the backend to push arbitrary JavaScript code to the client. This is essentially a remote code execution (RCE) vector within the browser context. If activated, this could be used for credential theft, session hijacking, or simply turning the user's browser into a proxy node.

For those managing corporate Chrome profiles, I'd recommend blocking this immediately via policy. You can audit if this specific extension is present in your environment by checking the file system. Here is a quick PowerShell snippet to scan local user profiles for the specific Extension ID:

Get-ChildItem -Path "$env:LOCALAPPDATA\Google\Chrome\User Data\*\Extensions" -Directory -ErrorAction SilentlyContinue | 
Where-Object { $_.Name -eq "cmedhionkhpnakcndndgjdbohmhepckk" } | 
Select-Object FullName

The fact that this held a 'Featured' badge raises serious questions about the vetting process on the Chrome Web Store. Is anyone else seeing an increase in malicious utility extensions slipping through review lately?

FI
Firewall_Admin_Joe6/25/2026

From a SOC perspective, this is a nightmare scenario because the traffic looks like legitimate user browsing. If the JS injection activates, we'd only catch it via TLS interception or Endpoint Detection and Response (EDR) telemetry showing chrome.exe spawning unexpected child processes. We've added this extension ID to our blocklist, but detecting the execution of the dormant script requires monitoring DOM modifications or unexpected network calls from the extension process itself.

PR
Proxy_Admin_Nate6/25/2026

We stopped allowing consumer adblockers years ago after the 'Nano Adblocker' and 'uBlock Origin' fork fiascos. We strictly enforce an allowlist via Group Policy. If you need to remove this fleet-wide, you can push the ExtensionInstallBlocklist policy. It's the only reliable way to handle 'Featured' extensions that later turn malicious.

CR
CryptoKatie6/25/2026

The 'dormant' aspect is the most dangerous part. With 10M+ installs, that's a massive botnet-in-waiting. They likely kept it dormant to build up a user base and pass automated store scans. The moment they flip the switch, they could inject coin miners into banking portals or run massive click-fraud campaigns. Users really need to stop installing extensions based solely on download counts.

FO
Forensics_Dana6/26/2026

Validating installations is crucial for remediation. Even if disabled, the files persist on disk. You can hunt for this specific extension ID using PowerShell across your fleet to ensure no remnants remain:

Get-ChildItem -Path "$env:LOCALAPPDATA\Google\Chrome\User Data" -Recurse -Directory -Filter "*cmedhionkhpnakcndndgjdbohmhepckk*" -ErrorAction SilentlyContinue

Make sure to verify version history in the logs if the update mechanism was abused.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created6/25/2026
Last Active6/26/2026
Replies4
Views129