Anthropic Claude Desktop Exposes Chromium Browser Data to Attackers
Key Takeaways Anthropic’s Claude Desktop application for macOS secretly installs a “Native Messaging bridge” into multiple Chromium-based browser directories without user consent....
Key Takeaways
- Anthropic’s Claude Desktop application for macOS secretly installs a “Native Messaging bridge” into multiple Chromium-based browser directories without user consent.
- This bridge, designed to facilitate communication between the desktop app and browser extensions, significantly increases the attack surface for users.
- If an attacker compromises specific pre-authorized Claude browser extension IDs, they could leverage the bridge for out-of-sandbox code execution or access sensitive browser data like private messages, banking information, and typed passwords.
- The installation occurs even for browsers not installed and is continuously rewritten by the Claude Desktop app, raising serious privacy and security concerns and potentially violating EU ePrivacy regulations.
A recent deep dive by privacy researcher Alexander Hanff has revealed that the Anthropic Claude Desktop application for macOS covertly deploys a Native Messaging bridge into the directories of various Chromium-based browsers. This action, performed without explicit user permission, is raising alarms across the cybersecurity community regarding privacy and security implications.
Table Of Content
When a user installs the Claude Desktop application (Claude.app), the software automatically places a specific Native Messaging manifest file, named com.anthropic.claude_browser_extension.json, into the application support folders of up to seven Chromium-based browsers. These include popular choices such as Chrome, Brave, Edge, Arc, Vivaldi, and Opera.
The functionality of a Native Messaging host is to enable a browser extension to communicate with a local desktop application. This bridge operates outside the browser’s traditional secure sandbox environment, executing with the same elevated privileges as the user.
The manifest file specifically pre-authorizes three distinct Chrome extension IDs, allowing them to activate a helper binary (chrome-native-host) located within the Claude Desktop application bundle.
Critically, this installation process unfolds automatically, irrespective of whether the user has ever installed the Claude browser extension. Furthermore, it targets directories for browsers that may not even be present on the user’s machine. Adding to the concern, the Claude Desktop application actively rewrites these manifest files each time it launches, making their permanent removal challenging for users.
Security and Privacy Implications
While the helper binary remains inactive until one of the three pre-authorized extensions triggers it, its mere presence significantly expands the attack surface of the user’s system.
Should an attacker successfully compromise one of the permitted extension IDs—through methods like an account takeover, a malicious update pushed via the Web Store, or a breach in the build pipeline—they could potentially achieve out-of-sandbox code execution on the user’s machine.
The privacy risks are equally substantial. Anthropic’s own documentation indicates that its browser integrations are designed to share login states, read the Document Object Model (DOM), extract structured data, and auto-fill forms. If a fully activated bridge were exploited, an AI agent could, in theory, gain access to decrypted private messages, interact with banking portals, and capture sensitive data such as passwords as they are typed.
Additionally, Anthropic had previously disclosed that its Claude for Chrome extension was susceptible to prompt injection attacks. A successful prompt injection against this extension could, theoretically, leverage the pre-installed Native Messaging bridge to execute commands on the host machine, escalating the severity of such an attack.
The central concern highlighted by Hanff is the complete absence of transparency. The software employs what he describes as a “dark pattern” by forcing an integration across independent software boundaries without seeking explicit user consent. Hanff’s detailed analysis can be found on his blog.
Hanff suggests that this silent deployment of dormant tracking and automation capabilities could directly contravene the EU’s ePrivacy Directive and computer misuse regulations, which impose strict rules on storing information on a user’s terminal equipment.
Standard cybersecurity best practices dictate that such powerful system integrations should only be installed at the user’s explicit request, be precisely scoped to the intended browser, and remain visible and manageable within the application’s settings. As AI tools increasingly seek greater control over digital environments, maintaining strict user consent and transparent security boundaries becomes paramount.
What You Should Do
- Users of Anthropic Claude Desktop on macOS should be aware of this background process and the potential risks it introduces.
- Regularly review your browser extensions and their permissions. Remove any extensions that are not essential or appear suspicious.
- Practice good security hygiene, including using strong, unique passwords and multi-factor authentication for all online accounts to mitigate the risk of account takeovers.
- Stay informed about updates from Anthropic regarding this issue and apply any patches or recommended configurations promptly.
- Consider the implications of installing AI desktop applications that request broad system access without explicit consent.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.