All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
A free Chrome extension installed by more than 11 million people to skip YouTube ads carries hidden code that could let its developer read your pages, steal your data, and act as you inside any website you visit, security researchers at Island reported on June 25.[1]
The extension, called Adblock for YouTube, blocks ads exactly as promised. The problem is what else it can do. Researchers at the enterprise browser company Island found that a single change on the developer's server could enable code to run across every site in your browser.[1][2]
Nobody has caught the extension stealing data, and that capability sits dormant today. But the design means the trust you hand a simple ad blocker can reach far past YouTube.
Below, I break down how the bypass works, how to check whether you're affected, and which ad blockers we've tested as safe replacements.
Adblock for YouTube has sat in the Chrome Web Store since 2014. It carries a Featured badge, holds a 4.4-star rating across 374,000 reviews, and ranks #31 among all extensions in the store, according to Island.
Here’s the catch. The extension asks for permission to run on every website you open, not just YouTube. Island's researchers found a check in the code that’s supposed to keep it on YouTube, but that check only looks for the text "youtube.com" anywhere in a web address. That means the extension's injection could run on a non-YouTube page, such as your bank or webmail, as long as 'youtube.com' appears somewhere in the address.
So a simple ad blocker labeled for "YouTube only" can actually reach your email, your bank, and your work apps.
The deeper issue is how the extension takes orders. Every day it fetches a configuration file from its developer's server. That file could hand the extension a piece of code and tell it to inject that code straight into whatever page you are viewing. To show the path was real, the researchers used the live extension to pull data from a logged-in Salesforce account in a controlled test. All it takes to flip that switch is one change on the server.
People install free ad blockers to block unwanted ads, malicious pop-ups, and trackers. That same tool is where the risk hides.
In our ad blocker survey, 59% of ad blocker users said they use the software partly to guard against malware and viruses, and 54% said they use it to protect their privacy. An extension that can touch every page works against both of those goals if the wrong person controls the server behind it.
/images/2024/06/10/ad-blocker-tentpole-3.1.png)
Extensions get this kind of power because of how ad blockers work. To block ads, an ad blocker needs to see and change the pages you load, so sweeping access looks normal here in a way it never would for most other tools.
Adblock for YouTube also carries a history that adds to the worry. It changed hands around 2018 and was rewritten; an earlier version shipped an ad-injection kit that Bitdefender flagged before the extension was dropped in June 2024, and Google has pulled related ad-block extensions tied to the same developer from the Chrome Web Store for malware.
If you have Adblock for YouTube installed:
Top ad blocker that historically scores 100/100 on AdBlock Tester, passing every banner, interstitial, pop-up, and contextual ad test
Successfully blocked YouTube ads in our testing, one of the trickier platforms for ad blockers to handle consistently
Works across Chrome, Edge, Safari, and Opera, plus Android and iOS mobile apps
If you just want to block YouTube ads safely:
Adblock for YouTube does block ads, but researchers found it is built so that one change on its developer's server could turn it loose on every site you visit. There’s no proof that has happened, and the publisher says it’s now fixing the issue — though the update isn't live yet.
If you use the extension, the safe move is to remove it, scan your device, and switch to an ad blocker that has passed independent security and privacy testing.
Top ad blocker that historically scores 100/100 on AdBlock Tester, passing every banner, interstitial, pop-up, and contextual ad test
Successfully blocked YouTube ads in our testing, one of the trickier platforms for ad blockers to handle consistently
Works across Chrome, Edge, Safari, and Opera, plus Android and iOS mobile apps
[1] BadBlocker: 11 Million Users, One Server Call Away from Compromise
[2] Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability
/images/2023/03/01/total-adblock-review.png)
/images/2023/04/04/best_ad_blockers_for_youtube.jpg)
/images/2026/06/29/adblock_for_youtube_on_desktop_ad_blocker_warning.jpg)
/images/2026/06/17/best_ad_blockers_for_blocking_trackers.jpg){kind=tracking}
/images/2026/06/10/safari_google_chrome_opera_microsoft_edge_firefox_apps_popular_browser_435u0Wg.jpg)
/images/2025/09/20/total_adblock_vs_aura_ad_blocker.jpg)
/images/2025/08/08/aura_ad_blocker_review.jpg)
/images/2025/06/19/person_holding_phone_with_illustration_of_different_mobile_pop-ups.jpg)
/authors/kate-quinlan-new.jpg){kind=small}
/authors/kalleigh-lane-new.jpg){kind=small}
/images/2023/03/01/logo-total-adblock.png){kind=logo}
/authors/kate-quinlan-new.jpg)