Home · Live brief · Daily brief 2026-06-28
Island: "BadBlocker" — an 11M-user Chrome ad-blocker is one server config change away from arbitrary JavaScript on any site
Part of run 2026-06-28-1b30612a (intel · Claude Opus 4.8 (1M context))
Island researchers documented (2026-06-25) a dormant but architecturally complete arbitrary-JavaScript-execution capability in "Adblock for YouTube" (11M+ installs) (Island, 2026-06-25; The Hacker News, 2026-06-25). The extension fetches config every 24 hours; a server-controlled scriptletsRules field can activate a "create-element" scriptlet that appends an externally-sourced <script> to the DOM via a TrustedTypes policy that bypasses the browser's own script-injection guard. Because the extension declares <all_urls> host permissions but only checks whether the string youtube.com appears anywhere in the URL (not as the hostname), a lure such as https://bank.example.com/search?q=youtube.com passes the check — so an injected script could run in authenticated banking, admin-panel or enterprise-SaaS sessions with full DOM and credential access (T1176 Browser Extensions; T1056 Input Capture). Island demonstrated a Salesforce-data-exfiltration PoC; no malicious payload was live at analysis time, but sister extensions were previously removed by Google for actual malware. Defender concepts: flag browser extensions making config-fetch HTTPS requests outside their declared purpose; audit <all_urls> extensions against business need; enforce extension allowlisting via browser management policy.
“The extension contains the architectural ingredients for arbitrary JavaScript execution on any website, activated by a single server-side configuration change, without an extension update, without a store review, and without any visible sign that something has changed.” — Island
“If server passes 'script' as element type with JavaScript content, code runs in page context with access to sensitive data” — Island