A recent technical audit by privacy researcher Alexander Hanff has revealed that Anthropic’s Claude Desktop application for macOS silently installs a Native Messaging bridge into the directories of several Chromium-based browsers.
This undocumented behavior occurs without user consent, raising significant privacy and security concerns within the cybersecurity community.
When a user installs Claude Desktop (Claude.app), the application automatically places a Native Messaging manifest file named com.anthropic.claude_browser_extension.json into the application support folders of up to seven Chromium-based browsers, including Chrome, Brave, Edge, Arc, Vivaldi, and Opera.
For a browser extension to communicate with a local desktop application, it requires a Native Messaging host. This bridge operates outside the browser’s secure sandbox, running with the same privileges as the user.
The manifest file preauthorizes three specific Chrome extension IDs to trigger the helper binary (chrome-native-host) located in the Claude Desktop app bundle.
Alarmingly, this installation happens automatically even if the user has never installed the Claude browser extension, and even in directories for browsers that are not currently installed on the machine.
Furthermore, Claude Desktop rewrites these manifest files whenever it launches, making them difficult to remove permanently.
Security and Privacy Implications
While the helper binary remains dormant until activated by one of the three pre-authorized extensions, its presence expands the user’s machine’s attack surface.
If an attacker successfully compromises one of the allowed extension IDs via an account takeover, a malicious Web Store update, or a compromised build pipeline, they could achieve out-of-sandbox code execution.
The privacy risks are equally severe. According to Anthropic’s own documentation, their browser integrations are designed to share login states, read the Document Object Model (DOM), extract structured data, and fill forms.
This means a fully activated bridge could allow the AI agent to read decrypted private messages, access banking portals, and capture passwords as they are typed.
Furthermore, Anthropic previously disclosed that its Claude for Chrome extension is vulnerable to prompt injection attacks.
A successful prompt injection against the extension could, in theory, use the pre-installed Native Messaging bridge to execute commands on the host machine.
The core issue Hanff highlights is the total lack of transparency. The software employs a “dark pattern” by forcing an integration across independent software boundaries without prompting the user to opt in.
Hanff noted that this silent deployment of dormant tracking and automation capabilities may be in direct violation of the EU’s ePrivacy Directive and computer misuse regulations, which strictly govern the storage of information on a user’s terminal equipment.
Standard cybersecurity practices dictate that such powerful system integrations should be installed only when a user actively requests them, be properly scoped to the targeted browser, and be visible within the application’s settings.
As AI tools increasingly seek agentic control over our digital environments, enforcing strict user consent and transparent security boundaries remains critical.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
