Claude Desktop Installs Preauthorized Browser Extension Manifests
Anthropic's Claude Desktop for macOS installs a Native Messaging manifest file named com.anthropic.claude_browser_extension.json that pre-authorizes the Claude browser extension and two other Chromium extension IDs. The manifest is created for Chromium-based browsers even when those browsers are not installed, meaning any future Chromium browser added to the machine will automatically grant the preauthorized extensions access to a local binary. That local bridge runs at user privilege outside the browser sandbox, enabling extensions to read pages, fill forms, capture screens, and access authenticated sessions without additional consent. Security researcher Alexander Hanff discovered the file; Noah Kenney independently reviewed the findings. The behavior raises privacy and legal questions, including potential breaches of the ePrivacy Directive Article 5(3).
What happened
Anthropic's Claude Desktop on macOS creates a Native Messaging manifest file, com.anthropic.claude_browser_extension.json, that pre-authorizes three Chromium extension IDs, including Claude for Chrome. The manifest is written even for Chromium-based browsers not currently installed, so any such browser added later will automatically allow the extension to communicate with a local binary without user consent.
Technical details
Native Messaging manifests define a bridge between browser extensions and a local executable; that bridge executes with the user's OS privileges and bypasses the browser sandbox. With the manifest preinstalled, an extension can exchange messages with a local binary to perform actions including reading page contents, autofilling forms, capturing the screen, and leveraging authenticated sessions. Anthropic's safety metrics indicate prompt-injection vulnerability rates of 23.6 percent without mitigations and 11.2 percent with current measures, numbers that matter because a successful injection could pivot through the extension to the local bridge. Key artifacts discovered are the com.anthropic.claude_browser_extension.json manifest and the set of authorized extension IDs.
Mitigation steps practitioners should consider
- •Inspect and remove unexpected Native Messaging manifest files from ~/Library or /Library if present and not required by trusted software
- •Audit installed browser extensions and block unknown extension IDs or reauthorize only via explicit user flows
- •Monitor processes that accept local messages and apply OS-level least-privilege controls
Context and significance
This is a classic privilege and preauthorization risk: desktop companion apps increasing an attack surface by pre-granting cross-process capabilities. The behavior intersects privacy law; researcher Alexander Hanff flagged potential noncompliance with ePrivacy Directive Article 5(3). Independent reviewer Noah Kenney highlighted that pre-authorized bridges are persistent and difficult for users to discover or remove, broadening the threat model for browser-based attacks.
What to watch
Expect regulatory scrutiny in the EU, security advisories or patches from Anthropic, and audits of other desktop-app tooling that uses Native Messaging. Operators should validate manifests and require explicit, runtime consent for any local bridge.
Scoring Rationale
This is a notable security/privacy finding affecting a widely used AI desktop client that creates persistent, preauthorized local bridges. It materially raises attack surface and regulatory risk for Anthropic and users, but it is not yet a systemic industry-wide compromise.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problemsStep-by-step roadmaps from zero to job-ready — curated courses, salary data, and the exact learning order that gets you hired.
