TL;DR - Researchers found that a Chrome ad blocker with more than 10 million installs, Adblock for YouTube, had a dormant code path that could run arbitrary JavaScript on any website you visit. It could be switched on remotely, from the publisher's server, with no app update and no Chrome review. There's no evidence it was ever used, and the publisher is now removing it. But it's a clean reminder of how much power the little extensions in your toolbar actually hold, and why it's worth spending five minutes today pruning the ones you forgot you had.
I have an ad blocker installed. You probably do too. It's one of those things you set up years ago, it quietly does its job, and you never think about it again. That last part is the bit worth rethinking this week.
Security researchers at Island took a close look at Adblock for YouTube, a Chrome extension with over 10 million installs and a "Featured" badge on the Chrome Web Store, which is meant to signal it's trustworthy. The extension does exactly what it promises. The problem is what else it was built to be able to do.
What they actually found
Inside the extension was a code path that could inject and run arbitrary JavaScript on any page you load. Not just YouTube. Any website. Your bank, your email, your work portal, anything open in that browser.
That capability could be turned on with a single change on the publisher's own server. No update pushed to your browser. No fresh review by Google. No notification, no new permission prompt, nothing you'd ever see. The switch lived on their end, and the loaded mechanism lived in your browser, just waiting to be told what to do.
According to the research, those injection paths had been sitting in the extension since around February 2025, and there's no evidence the capability was ever actually used against anyone. So this is not a "you've been hacked" story. It's closer to discovering the lock on your front door has a second keyhole you never knew about, one the locksmith could open from across town. Nothing's been taken. You'd still quite like it gone.
To their credit, the publisher (AdBlock Ltd) responded fast and started fixing it from 26 June 2026, stripping out the unused code so no server setting can call it, and tightening how the extension checks which site it's actually on.
Why a browser extension is such a big deal
When you install an extension, it usually asks to "read and change all your data on the websites you visit." We click through that wording without a second thought, but read it literally. You are handing a piece of software the ability to see and alter every page you open. That's the whole reason extensions can block ads, autofill passwords, or fix the look of a site. It's also exactly why a compromised or quietly over-built one is dangerous.
That power doesn't expire. An extension you installed in 2019 from a developer you trusted can change hands, get sold to a new owner, or have new code shipped to it, and it keeps all those permissions the entire time. The trust you granted years ago is still being honoured by a browser that has no idea the situation has changed.
What to do tonight, in about five minutes
You don't need to panic or rip everything out. You just need to do the prune you've been putting off.
- Open your extensions list. In Chrome, type
chrome://extensionsinto the address bar and press Enter. Edge isedge://extensions. You'll probably be surprised how many are there. - Remove anything you don't actively use or recognise. If you can't remember installing it or what it does, that's reason enough. Click Remove. You can always reinstall something you genuinely miss.
- Check who publishes the ones you keep. Click "Details" on an extension and look at the developer and the review count. A tool with a handful of reviews and a vague publisher deserves more suspicion than a well-known name, though as this story shows, even big ones are worth a periodic look.
- Be choosy from now on. Every extension is a standing invitation into everything you do in that browser. Install the few you truly need, from sources you trust, and skip the novelty ones.
- For ad blocking specifically, stick to well-established, widely reviewed options, and consider that a content blocker built into a privacy-focused browser is one less third-party add-on to keep an eye on.
The genuinely good news here is that nobody appears to have been harmed, the researchers caught it, and the publisher is cleaning it up. The lasting lesson is the cheap one: the most dangerous software on your computer is often the stuff you stopped noticing. Five minutes in your extensions list is one of the highest-value security chores going, and almost nobody does it.
