The Dormant Threat Inside a Trusted Extension
A security analysis of the popular Chrome extension “Adblock for YouTube” has revealed a concerning dormant capability that could allow remote code injection on any website. The extension, which boasts over 10 million installations and a Featured badge on the Chrome Web Store, contains the architectural framework for executing arbitrary JavaScript code on any page a user visits. Researchers from Island discovered that the extension relies on a server-side configuration to determine which ad blocking scriptlets to run, and one of those scriptlets, named trusted-create-element, can be instructed to create and execute arbitrary script elements on the page.
Crucially, this capability is currently inactive. However, a single change to the extension’s server configuration could activate it without any user notification, extension update, or Chrome Web Store review process. The researchers emphasized that the risk stems not from any single malicious line of code, but from the combination of all-site access permissions, a remote controlled injection path, and the extension’s history of ownership changes and prior ad injection infrastructure.
Scope and Related Concerns
The extension’s permissions allow it to run on every website visited, not just YouTube. Although the extension attempts to restrict its ad blocking functionality to pages containing “youtube.com” in the URL, this check can be trivially bypassed. For example, a URL like “www.facebook.com/page?ref=youtube.com” would trigger the extension’s code execution pathways on Facebook’s website, demonstrating a fundamental flaw in how the hostname validation is performed.
Adding to the concern, several related ad blocking extensions from the same developer have already been removed from the Chrome Web Store due to malware. The developer, AdBlock Ltd, has acknowledged the issue and is preparing an update. The planned fix will validate the YouTube hostname properly rather than matching a string anywhere in the URL, and will remove the server’s ability to inject executable scripts through the trusted-create-element scriptlet. The company maintains that the capability has never been used and will not be used maliciously.
Source: The Hacker News
