The Chrome ad blocker 'Adblock for YouTube,' with over 10 million installs, has been found to contain functionality for executing arbitrary JavaScript code remotely. This could potentially allow for significant privacy risks, including data theft, although no malicious activity has been reported to date.
Research by Island reveals that the popular 'Adblock for YouTube' extension has hidden capabilities that allow it to run arbitrary JavaScript code on any website. This can be activated through a single server-side change, posing a significant threat to users' security and privacy.
The extension can potentially read pages and steal data, jeopardizing personal accounts and sensitive sessions. This capability introduces serious privacy concerns, especially given the extensive user base of the extension.
Originally launched in 2014, 'Adblock for YouTube' changed ownership in 2018, along with a history of prior ad-injection software. Related extensions have previously been reported and removed for similar malware concerns, raising alarms over current users' safety.
The extension uses scriptlets for ad blocking, controlled remotely by the server. This means that without user knowledge, the functionality of the extension can change at the discretion of the developers, increasing the risk of malicious exploitation.
While there is currently no reported malicious use of this feature, the existence of such a capability underscores essential vigilance among users. Those utilizing the extension may want to consider alternative ad blockers or monitor their web security more closely.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
The Chrome ad blocker 'Adblock for YouTube,' with over 10 million installs, has been found to contain functionality for executing arbitrary JavaScript code remotely. This could potentially allow for significant privacy risks, including data theft, although no malicious activity has been reported to date.