11 Million People Use This YouTube Ad Blocker. Experts Warn It Could Read Every Site You Visit

Security researchers found Adblock for YouTube, a Chrome extension with 11 million installs, could run on any site you visit if a bad actor makes one server-side change.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

A free Chrome extension installed by more than 11 million people to skip YouTube ads carries hidden code that could let its developer read your pages, steal your data, and act as you inside any website you visit, security researchers at Island reported on June 25.[1]

The extension, called Adblock for YouTube, blocks ads exactly as promised. The problem is what else it can do. Researchers at the enterprise browser company Island found that a single change on the developer's server could enable code to run across every site in your browser.[1][2]

Nobody has caught the extension stealing data, and that capability sits dormant today. But the design means the trust you hand a simple ad blocker can reach far past YouTube.

Below, I break down how the bypass works, how to check whether you're affected, and which ad blockers we've tested as safe replacements.

In this article
A YouTube ad blocker that quietly runs on every site
Why this matters if you rely on free browser extensions
How to check your ad blocker and what to use instead
The bottom line

A YouTube ad blocker that quietly runs on every site

Adblock for YouTube has sat in the Chrome Web Store since 2014. It carries a Featured badge, holds a 4.4-star rating across 374,000 reviews, and ranks #31 among all extensions in the store, according to Island.

Here’s the catch. The extension asks for permission to run on every website you open, not just YouTube. Island's researchers found a check in the code that’s supposed to keep it on YouTube, but that check only looks for the text "youtube.com" anywhere in a web address. That means the extension's injection could run on a non-YouTube page, such as your bank or webmail, as long as 'youtube.com' appears somewhere in the address

So a simple ad blocker labeled for "YouTube only" can actually reach your email, your bank, and your work apps.

The deeper issue is how the extension takes orders. Every day it fetches a configuration file from its developer's server. That file could hand the extension a piece of code and tell it to inject that code straight into whatever page you are viewing. To show the path was real, the researchers used the live extension to pull data from a logged-in Salesforce account in a controlled test. All it takes to flip that switch is one change on the server. 

Update: After Island's report, the extension's publisher, AdBlock Ltd, said the injection capability was never used and that it's removing the unused code and tightening the YouTube check. The fix still has to pass Google's review and is not yet live, so the steps below still apply.

Why this matters if you rely on free browser extensions

People install free ad blockers to block unwanted ads, malicious pop-ups, and trackers. That same tool is where the risk hides. 

In our ad blocker survey, 59% of ad blocker users said they use the software partly to guard against malware and viruses, and 54% said they use it to protect their privacy. An extension that can touch every page works against both of those goals if the wrong person controls the server behind it.

Chart showing why people use ad blockers

Extensions get this kind of power because of how ad blockers work. To block ads, an ad blocker needs to see and change the pages you load, so sweeping access looks normal here in a way it never would for most other tools.

Adblock for YouTube also carries a history that adds to the worry. It changed hands around 2018 and was rewritten; an earlier version shipped an ad-injection kit that Bitdefender flagged before the extension was dropped in June 2024, and Google has pulled related ad-block extensions tied to the same developer from the Chrome Web Store for malware.

Not sure whether an extension deserves the access it asks for? Learn the red flags before you install in our guide to whether browser extensions are safe.

How to check your ad blocker and what to use instead

If you have Adblock for YouTube installed:

  1. Open Chrome's three-dot menu, go to Extensions, then Manage Extensions, find Adblock for YouTube, and click Remove.
  2. Run a full antivirus scan on your device to rule out anything left behind.
  3. If you want to be cautious, change the passwords on your most sensitive accounts, starting with email and banking.
  4. Replace it with one of the best ad blockers we've tested. On Chrome, where recent platform changes have weakened some popular blockers, our top ad blockers for Chrome guide flags the ones that still work well.

#1 Adblocker — Even Blocks YouTube Video Ads
5.0
Editorial Rating
Get Deal
On Total Adblock's website
2026 Editors’ Choice
Best Overall Ad Blocker
Ad Blocker
Total Adblock
PROMOTION: Get 80% Off
  • Top ad blocker that historically scores 100/100 on AdBlock Tester, passing every banner, interstitial, pop-up, and contextual ad test
  • Successfully blocked YouTube ads in our testing, one of the trickier platforms for ad blockers to handle consistently
  • Works across Chrome, Edge, Safari, and Opera, plus Android and iOS mobile apps

If you just want to block YouTube ads safely:

  1. Choose a vetted option from our guide to the best ad blockers for YouTube.
  2. Follow the steps to block YouTube ads in your browser.
  3. On your phone, learn how to block ads in the YouTube app.

The bottom line

Adblock for YouTube does block ads, but researchers found it is built so that one change on its developer's server could turn it loose on every site you visit. There’s no proof that has happened, and the publisher says it’s now fixing the issue — though the update isn't live yet.

If you use the extension, the safe move is to remove it, scan your device, and switch to an ad blocker that has passed independent security and privacy testing.

#1 Adblocker — Even Blocks YouTube Video Ads
5.0
Editorial Rating
Get Deal
On Total Adblock's website
2026 Editors’ Choice
Best Overall Ad Blocker
Ad Blocker
Total Adblock
PROMOTION: Get 80% Off
  • Top ad blocker that historically scores 100/100 on AdBlock Tester, passing every banner, interstitial, pop-up, and contextual ad test
  • Successfully blocked YouTube ads in our testing, one of the trickier platforms for ad blockers to handle consistently
  • Works across Chrome, Edge, Safari, and Opera, plus Android and iOS mobile apps
Author Details
Kate Quinlan is a Senior Editor at All About Cookies, where she has tested dozens of digital security tools and contributed to more than 370 articles spanning web hosting, VPNs, ad blockers, parental controls, and data security. Before joining AAC, she managed a team of more than 150 writers at SuperSummary, where she developed editorial standards at scale. She holds a B.A. in Professional Writing from Kutztown University.

Citations

[1] BadBlocker: 11 Million Users, One Server Call Away from Compromise

[2] Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability