Hacker News
Claude Desktop Silently Installs Native Messaging Bridge for 7 Browsers — Pre-Authorizes Extensions Without Consent
Security researchers found Claude Desktop for macOS silently drops com.anthropic.claude_browser_extension.json into Chromium-based browsers, pre-authorizing three Chrome extension IDs without any opt-in prompt. The app creates NativeMessagingHosts directories for browsers not even installed (Edge, Arc, Vivaldi, Opera), pre-staging access for future installs. Anthropic's own safety data shows Claude for Chrome is vulnerable to prompt injection at 11.2% with mitigations. 91 points on HN.
↳ Follow the thread