An analysis of a popular Google Chrome ad
block extension for YouTube has uncovered the ability to execute arbitrary JavaScript code.
According to Island, the extension, named
Adblock for YouTube (ID: cmedhionkhpnakcndndgjdbohmhepckk), has more than 10 million installs and carries a Featured badge on the Chrome Web Store.
The extension description states that it allows users to prevent web page elements like ads, including preroll ads, from being displayed on the video sharing platform, as well as on external sites that load YouTube.
While the add-on offers the promised functionality,
it also features capabilities to run arbitrary JavaScript code.
"In practical terms, that could mean
reading pages, stealing data, and acting as the user inside personal accounts, work apps, admin panels, and other sensitive browser sessions."
Island found dormant JavaScript injection paths in Adblock for YouTube, a Chrome extension with 10M+ installs, raising browser security risks.
thehackernews.com
