A widely trusted Chrome browser extension has been found to contain a pre-wired remote code execution backdoor sitting dormant in over 10 million browsers — waiting for a single server-side configuration change to activate it.
The Extension
Adblock for YouTube (Chrome Web Store ID: cmedhionkhpnakcndndgjdbohmhepckk) is a popular ad-blocking extension carrying Google's "Featured" badge, indicating it meets elevated quality and trust standards. It has accumulated more than 10 million installs. Researchers at browser security firm Island discovered the hidden capability during a routine extension audit.
What Was Found
Buried within the extension is a custom scriptlet rule named trusted-create-element. According to Island's analysis, this rule provides "the architectural ingredients for arbitrary JavaScript execution on any website, activated by a single server-side configuration change — without an extension update and without triggering any store review."
In practice, this means the extension's operator could silently push a configuration change to all 10 million installed instances, enabling the injection of arbitrary <script> elements on any page the user visits — all without distributing a new version of the extension or triggering any Chrome Web Store security review.
What a Malicious Activation Could Do
If the dormant payload were activated, threat actors could use it to:
- Steal credentials and session tokens from any website
- Exfiltrate sensitive data from banking portals, admin panels, and corporate SaaS apps
- Impersonate users across personal and work accounts
- Execute arbitrary JavaScript in the context of any page, including internal enterprise applications
A Pattern of Malicious Siblings
The discovery doesn't exist in isolation. Three related extensions — Adblock for Chrome, Adblock for You, and AdBlock Suite — were previously removed from the Chrome Web Store for actively distributing malware, suggesting the same developer network has a history of weaponizing browser extensions.
Current Status
At the time of reporting, the payload in Adblock for YouTube remains dormant — it has not been activated against users. Island researchers contacted the developer directly. Google has not issued a public statement, and the extension remains available in the Chrome Web Store.
What Users Should Do
- Remove Adblock for YouTube (ID:
cmedhionkhpnakcndndgjdbohmhepckk) from Chrome immediately - Audit all installed browser extensions — especially those with broad host permissions (
<all_urls>) or scriptlet rule capabilities - Prefer extensions from well-known, audited organizations with transparent codebases
- Enterprise administrators should review browser extension policies and consider allowlisting approaches for managed devices
Broader Implications
This incident highlights a structural weakness in the browser extension ecosystem: a "Featured" badge provides a false sense of security. Extensions with millions of installs and trusted branding can still carry server-activatable payloads that entirely bypass the Chrome Web Store review process. The attack surface is not the code published to the store — it is the remote configuration the code obeys.