Chrome Ad‑Block Extension for YouTube Found with Dormant Script‑Injection Capability Affecting 10M+ Users
What Happened — Security researchers discovered that the “Adblock for YouTube” Chrome extension (ID: cmedhionkhpnakcndndgjdbohmhepckk), which carries a Featured badge and has amassed more than 10 million installs, contains dormant code capable of executing arbitrary JavaScript on any page a user visits. The malicious payload is not disclosed in the extension description and can be triggered remotely, turning a benign‑looking ad‑blocker into a supply‑chain attack vector.
Why It Matters for Compliance & Audit Readiness —
- The scenario is a textbook example of third‑party risk that SOC 2 vendor‑management controls (CC6.1, CC7.2) are built to identify, assess, and continuously monitor.
- Continuous evidence collection on third‑party software behavior creates a defensible audit trail and demonstrates due‑diligence to regulators and customers.
- Verisq’s Vendor Risk capability automates monitoring of extension code changes and runtime behavior, providing the audit‑ready artifacts SOC 2 auditors expect.
Who Is Affected — End‑users of Google Chrome across all sectors; especially media publishers, SaaS platforms embedding YouTube videos, and enterprises that allow personal browser extensions on corporate devices.
Recommended Actions —
- Conduct an organization‑wide inventory of all browser extensions and map each to SOC 2 vendor‑management controls.
- Deploy continuous monitoring that records extension hashes, version changes, and runtime script activity.
- Remove or restrict the flagged extension until the developer provides a clean version, and document the remediation decision as part of your audit evidence.
Source: The Hacker News
Technical Notes — The hidden script can be activated via a remote command, injecting arbitrary JavaScript into any visited page. No CVE has been assigned; the risk originates from malicious code embedded in a legitimate‑looking extension. Potentially exposed data includes session cookies, authentication tokens, and any user‑entered information on compromised pages. Source: [The Hacker News]