Singularity.Kiwi

AI progress, with honesty.
Dark laptop screen with browser privacy surveillance concept
AI & Singularity 23 April 2026

Claude Desktop Silently Installs Browser Bridge Across Every Chromium Browser on Your Mac

Claude Desktop silently installs a browser bridge into every Chromium browser on your Mac — including ones you haven't installed.

AnthropicClaude DesktopPrivacySecurityBrowser Extension

A privacy consultant has uncovered that Anthropic’s Claude Desktop for macOS silently installs a Native Messaging bridge into every Chromium-based browser on your machine — including browsers you haven’t even installed — without informing you, without asking consent, and without offering any way to discover it from inside Claude’s own interface.

🔍 THE BOTTOM LINE: Claude Desktop pre-stages a bridge that can read your authenticated browser sessions, fill forms as you, and capture your screen. It installs into browsers Anthropic publicly says it doesn’t support. It rewrites itself on every launch. And almost no one knows it’s there.

🔎 What Was Found

Privacy consultant Alexander Hanff discovered the bridge while debugging an unrelated project. A file he had never created was sitting in his Brave browser’s Native Messaging directory:

{
  "name": "com.anthropic.claude_browser_extension",
  "description": "Claude Browser Extension Native Host",
  "path": "/Applications/Claude.app/Contents/Helpers/chrome-native-host",
  "type": "stdio",
  "allowed_origins": [
    "chrome-extension://dihbgbndebgnbjfmelmegjepbnkhlgni/",
    "chrome-extension://fcoeoabgfenejglbffodgkkbkcdhcgfn/",
    "chrome-extension://dngcpimnedloihjnnfngkgjoidhnaolf/"
  ]
}

This is a Native Messaging manifest — the document a Chromium browser consults when an extension wants to run code outside the browser sandbox, at the same privilege level as the user. Once a paired extension with one of those three IDs reaches your browser, it’s pre-authorised to launch the chrome-native-host binary on your machine.

🌐 Seven Browsers. One Silent Install.

Hanff’s full audit found the manifest in seven browser directories:

  1. Google Chrome
  2. Microsoft Edge
  3. Brave
  4. Arc
  5. Chromium
  6. Vivaldi
  7. Opera

All seven manifests are byte-for-byte identical. Four of those browsers — Edge, Arc, Vivaldi, and Opera — weren’t even installed on the test machine. Claude Desktop created the directories and dropped the files anyway, so the bridge is ready and waiting if you ever install those browsers in the future.

Anthropic’s own documentation states that Claude’s Chrome integration only supports Chrome and Edge, and does not support Brave, Arc, or other Chromium browsers. The installed behaviour directly contradicts the documented position.

🔓 What the Bridge Can Do

When the paired extension is present, the bridge exposes capabilities that Anthropic documents publicly:

  • Authenticated session access — “Claude opens new tabs for browser tasks and shares your browser’s login state, so it can access any site you’re already signed into”
  • DOM state read — “Read console errors and DOM state directly”
  • Form filling — “Automate repetitive browser tasks like data entry, form filling”
  • Screen recording — “Record browser interactions as GIFs”

If you have your bank, your health portal, or your company’s admin console open, the documented capabilities include acting as you there. The bridge runs outside the browser sandbox at user privilege level. Native Messaging hosts don’t show up in any standard macOS permission UI.

⚠️ The Prompt Injection Problem

Anthropic’s own safety data reveals that Claude for Chrome is vulnerable to prompt injection at a 23.6% success rate without mitigations, dropping to 11.2% with current defences. That means roughly one in ten targeted attacks succeeds.

With the bridge pre-installed on your machine, a successful prompt injection against Claude for Chrome has a path — through the extension, through the bridge, to a helper binary running outside the browser sandbox with your access permissions.

🔄 It Reinstalls on Every Launch

Deleting the manifest files isn’t enough. Claude Desktop’s own logs record 31 separate install events across current and archived log files. The manifests’ modification timestamps confirm they’ve been rewritten months after initial creation. Claude Desktop rewrites the bridge every time it runs.

2026-03-21 14:54:40 [info] [Chrome Extension MCP] Installed native host
  manifest for Chrome at .../com.anthropic.claude_browser_extension.json
2026-03-21 14:54:40 [info] [Chrome Extension MCP] Installed native host
  manifest for Brave at .../com.anthropic.claude_browser_extension.json
[...five more browsers...]
2026-03-21 14:54:40 [info] [Chrome Extension MCP] Native host installation complete

The subsystem is internally named “Chrome Extension MCP” — a label that never appears in Claude Desktop’s user interface.

🇪🇺 Legal Implications

Hanff argues the install is a direct breach of Article 5(3) of the EU ePrivacy Directive (Directive 2002/58/EC), which requires informed consent before accessing information stored on a user’s terminal equipment. He also identifies potential violations of computer access and misuse laws across multiple jurisdictions.

The key legal question: can pre-installing dormant capability without consent be lawful, even if the capability isn’t currently active? Hanff’s position is clear — the mere placement of the binary and creation of the storage directories constitutes the breach.

🇳🇿 What This Means for NZ Users

New Zealand’s Privacy Act 2020 requires that personal information is collected lawfully, and that agencies tell you what they’re collecting and why. A Native Messaging bridge that can read your authenticated browser sessions, fill forms, and capture screen content is collecting personal information by any reasonable definition.

If you’re running Claude Desktop on a work machine in NZ, your organisation may have obligations under the Privacy Act that are now complicated by an unconsented browser bridge with access to every authenticated session you hold.

To check your own machine, open Terminal and run:

find ~/Library/Application\ Support -name "com.anthropic.claude_browser_extension*" 2>/dev/null

If you see results, the bridge is installed. Deleting the files works only until the next time you launch Claude Desktop.

🛡️ What Anthropic Should Do

The fixes are straightforward and standard for desktop software in 2026:

  1. Ask first — Show a consent dialogue on first launch. “Would you like Claude to control your browser?” Two buttons. Done.
  2. Install on demand — Drop the manifest only when the user actually installs the paired browser extension.
  3. Scope narrowly — Install into the browser the user is opting in for, not every Chromium browser on the machine.
  4. Surface it — List every registered integration in Claude.app’s Settings. Let users revoke each one.
  5. Stop reinstalling — If the user deletes the manifest, respect that decision.
  6. Retroactive consent — Notify existing users on next launch that their machine has pre-registered bridges, and offer one-click removal.

📊 The Bigger Picture

This isn’t just about Claude Desktop. It’s about the pattern.

When the AI company that built its brand on safety and responsible AI silently installs browser bridges across trust boundaries without consent, it sets a precedent. Every other AI desktop app now has a template for invisible, self-repairing system integration.

The “safety-first” AI lab and the “install-first, ask-never” software practice are the same company. That tension is the story.

Anthropic has not yet responded publicly to the findings. The bridge continues to ship in current versions of Claude Desktop.

📚 Sources

Sources: That Privacy Guy, The Register, gHacks

Related Articles