11 Million-User YouTube Ad Blocker Has Dangerous Execution Path, Security Firm Warns
The extension's combination of broad permissions and a server-controlled scriptlet mechanism means a compromised or malicious update to its settings server could turn a trusted ad blocker into a data-stealing tool for millions of users.
Reporting from 1 sources: GIGAZINE.
Enterprise browser company Island reported that the Chrome extension "Adblock for YouTube," installed over 11 million times, has a design flaw where a single server-side configuration change could allow arbitrary JavaScript execution in users' browsers. Island has not confirmed malicious code distribution but says the dangerous execution path exists.
Enterprise browser company Island has identified a security vulnerability in the Chrome extension "Adblock for YouTube," which has been installed over 11 million times. The extension requests permissions for all URLs and fetches settings from an external server every 24 hours. Those settings include a field called "scriptletsRules" that can instruct the extension to execute built-in JavaScript functions with server-specified arguments. Island demonstrated that one such scriptlet, "trusted-create-element," can inject arbitrary JavaScript into any page the extension can access, including webmail, banking sites, and internal business tools. In a proof of concept, Island showed the extension reading account information from Salesforce and sending it to a mock server. Island stated it has not observed any malicious payloads being delivered in the wild, but warned that the architecture makes a supply-chain-style attack possible with only a server-side change.
Synthesized by Yomimono from the 1 cited source below, including Japanese-language reporting where cited, then editorially reviewed before publishing.