Full Report
An analysis of a popular Google Chrome ad block extension for YouTube has uncovered the ability to execute arbitrary JavaScript code. According to Island, the extension, named Adblock for YouTube (ID: cmedhionkhpnakcndndgjdbohmhepckk), has more than 10 million installs and carries a Featured badge on the Chrome Web Store. The extension description states that it allows users to prevent web
Analysis Summary
# Tool/Technique: Adblock for YouTube (cmedhionkhpnakcndndgjdbohmhepckk)
## Overview
A popular Google Chrome extension with over 10 million installs that functions ostensibly as an ad blocker for YouTube. While providing legitimate functionality, the extension contains dormant code designed to execute arbitrary JavaScript on any website visited by the user. This "living off the land" approach in browser extensions allows for massive-scale data theft or account hijacking via a simple server-side configuration change without requiring a store review or extension update.
## Technical Details
- **Type**: Malicious Browser Extension / Potentially Unwanted Application (PUA)
- **Platform**: Google Chrome / Chromium-based browsers
- **Capabilities**: Remote-controlled script injection, broad site permissions (All-site access), bypass of URL-specific restrictions, previous history of ad-injection SDKs.
- **First Seen**: Extension exists since 2014; Malicious script injection paths identified since February 2025.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1176 - Browser Extensions]
- **[TA0002 - Execution]**
- [T1059.007 - Command and Scripting Interpreter: JavaScript]
- **[TA0005 - Defense Evasion]**
- [T1564 - Hide Artifacts] (Dormant capabilities to avoid store review)
- **[TA0009 - Collection]**
- [T1185 - Browser Session Hijacking]
- [T1601.002 - Data from Information Repositories: Browser Data]
## Functionality
### Core Capabilities
- **YouTube Ad Blocking**: Functions as advertised to hide pre-roll and display ads on YouTube.
- **All-Site Access**: Despite its name, the extension requests permissions to read and change data on all websites.
- **URL Manipulation Bypass**: Uses a weak check for "youtube.com" in the URL string, allowing the extension's logic to trigger on any site if the user appends a query string containing that keyword (e.g., `bank.com/?q=youtube.com`).
### Advanced Features
- **Remote Script Injection**: Features a "trusted-create-element" rule that allows the author to inject arbitrary `<script>` tags remotely.
- **Dormant Execution Path**: The malicious configuration is fetched from a remote server. At the time of discovery, the server response was inactive, effectively keeping the malware "asleep" to evade detection by automated scanners and manual reviews.
- **Ownership Change**: Typical of many extension-based attacks, the tool changed ownership in 2018, transitioning from a legitimate tool to one carrying ad-injection SDKs and eventually remote execution paths.
## Indicators of Compromise
### Extension IDs
- `cmedhionkhpnakcndndgjdbohmhepckk` (Adblock for YouTube)
- `onomjaelhagjjojbkcafidnepbfkpnee` (Adblock for Chrome - Removed)
- `ogcaehilgakehloljjmajoempaflmdci` (Adblock for You - Removed)
- `gekoepiplklhniacchbbgbhilidiojmb` (AdBlock Suite - Removed)
### Behavioral Indicators
- Network requests to non-Google domains to fetch configuration rules.
- Creation of DOM elements (`<script>`) via internal bespoke rulesets.
- High-frequency updates to server-side configuration files without extension version changes.
## Associated Threat Actors
- **Unknown**: The developer identity changed in 2018. Associated with the **Unistream SDK** (ad-injection infrastructure).
## Detection Methods
- **Behavioral Detection**: Monitoring for browser extensions that execute scripts originating from remote domains outside of the extension package.
- **URL Inspection**: Detecting the bypass technique where "youtube.com" is appended to non-YouTube domains.
- **Security Vendor Analysis**: Island and Palo Alto Networks Unit 42 are actively tracking these variants.
## Mitigation Strategies
- **Prevention**: Uninstall the specific extension ID `cmedhionkhpnakcndndgjdbohmhepckk`.
- **Hardening**:
- Implement a "Browser Extension Allowlist" policy for enterprise environments.
- Use Browser Security Platforms that intercept and analyze extension script execution in real-time.
- Review permissions for existing extensions, specifically "Read and change all your data on all websites."
## Related Tools/Techniques
- **Adblock Suite / Adblock for Chrome**: Related extensions removed for malware.
- **Affiliate Marketing Fraud**: Similar impersonation techniques found in ".shop" domain redirect campaigns.
- **Unistream SDK**: An ad-injection SDK previously bundled with this extension.