A detailed investigation published on April 18, 2026, by privacy expert Alexander Hanff has exposed a significant security and privacy issue within Anthropic’s Claude Desktop application for macOS.
The application silently installs a Native Messaging bridge across multiple Chromium-based browsers without user knowledge or consent, establishing out-of-sandbox browser automation hooks that security researchers say substantially expand the local attack surface.
Hanff discovered the unauthorized configuration file named com.anthropic.claude_browser_extension.json while debugging an unrelated project on his MacBook.
His investigation revealed that Claude Desktop automatically writes this manifest into the application support directories of seven Chromium-based browsers: Google Chrome, Brave, Microsoft Edge, Chromium, Arc, Vivaldi, and Opera.
Claude Desktop Reportedly Adds Browser Access
Notably, the application installs these files even for browsers not present on the user’s system and for browsers that Anthropic publicly acknowledges as unsupported.
More concerning, the manifest files are rewritten every time Claude Desktop launches, rendering manual deletion completely ineffective unless the application is fully uninstalled.
The Native Messaging bridge effectively functions as a pre-authorized backdoor. It permits three specific Chrome extension IDs to spawn a local executable chrome-native-host embedded within the Claude.app bundle. This executable operates entirely outside the browser sandbox with full user-level system privileges.
When a paired extension is active, the bridge exposes powerful automation capabilities, including reading the complete DOM state, extracting structured web page data, sharing authenticated login sessions, automated form filling, and background screen recording.
These capabilities allow an agentic process to interact with highly sensitive platforms, including banking portals, tax systems, and production infrastructure consoles, acting invisibly as the authenticated user.
The security implications extend beyond unauthorized installation. Anthropic’s own safety data indicates that Claude for Chrome remains susceptible to prompt-injection attacks, with a 11.2% success rate, even with existing mitigations in place.
A successful prompt injection against a bridged extension could allow an attacker to leverage the pre-installed bridge to execute out-of-sandbox code on the user’s local machine.
Additionally, if any of the three pre-authorized Chrome extensions are compromised through a malicious update or supply-chain attack, a threat actor would gain immediate user-level access to the system further exploitation required.
Hanff characterized the behavior as a deliberate “dark pattern” and a direct violation of the EU ePrivacy Directive (Directive 2002/58/EC) and various computer access and misuse laws.
He stressed that dormant capability is never safe capability, arguing that the pre-installed bridge fundamentally undermines the browser trust model without users’ knowledge.
Mitigations
Cybersecurity professionals and privacy advocates are urging Anthropic to adopt a strict opt-in model immediately. Specific recommendations include:
- Prompting users for explicit, affirmative consent before installing any browser integrations
- Limiting installation exclusively to supported browsers, the user actively chooses to integrate
- Providing a transparent settings interface to manage or revoke browser permissions at any time
Until Anthropic resolves this architectural flaw, organizations running Claude Desktop on macOS should proactively audit their environments for the com.anthropic.claude_browser_extension.json manifest file to ensure compliance with internal security policies and data protection regulations.
No Comment! Be the first one.