A detailed cybersecurity report published by privacy expert Alexander Hanff on April 18, 2026, reveals that Anthropic’s Claude Desktop application for macOS silently installs a Native Messaging bridge across multiple Chromium-based browsers.
This unprompted installation establishes out-of-sandbox browser automation hooks that pose significant privacy and security risks, bypassing explicit user consent and standard application security boundaries.
The investigation centers on a Native Messaging manifest file named com.anthropic.claude_browser_extension.json.
According to Hanff, Claude Desktop automatically writes this configuration file into the application support directories of seven Chromium browsers: Google Chrome, Brave, Microsoft Edge, Chromium, Arc, Vivaldi, and Opera. Hanff discovered the unauthorized file on his MacBook while debugging an unrelated project.
The application aggressively installs this bridge even for browsers that are not present on the user’s machine, and for browsers that Anthropic publicly claims are unsupported.
The files are rewritten every time Claude Desktop launches, making manual deletion ineffective unless the application is uninstalled.
The Native Messaging bridge acts as a pre-authorized backdoor for browser extensions. It allows three specific Chrome extension IDs to permanently spawn a local executable (chrome-native-host) within the Claude.app bundle.
Crucially, this executable runs completely outside the browser sandbox with full user-level privileges.
Claude Desktop Reportedly Adds Browser Access
According to Anthropic’s own documentation, when a paired extension is active, the bridge exposes exceptionally powerful browser automation capabilities.
These features include reading the complete DOM state, extracting structured web page information, sharing login states for authenticated sessions, automated form filling, and background screen recording.
This level of system access allows the agentic process to interact with highly sensitive websites, such as banking portals, tax systems, or production infrastructure admin consoles, acting seamlessly as the logged-in user.
This latent capability significantly expands a user’s local attack surface. Anthropic’s own safety data shows that Claude for Chrome remains vulnerable to prompt-injection attacks at a 11.2% success rate, even with their current mitigations active.
If an attacker successfully executes a prompt injection against a bridged extension, they could leverage the pre-installed bridge to gain out-of-sandbox code execution on the user’s local machine.
Furthermore, if any of the three pre-authorized extensions are compromised through a malicious update or a supply-chain attack, the threat actor would gain immediate user-level access.
Hanff described the behavior as a deliberate “dark pattern” and a direct breach of the EU ePrivacy Directive (Directive 2002/58/EC) and various computer access and misuse laws.
He emphasized that dormant capability is never safe capability, noting that the pre-installed bridge bypasses the browser trust model and leaves users entirely unaware of the persistent hooks on their systems.
Cybersecurity professionals and privacy advocates recommend that Anthropic immediately move to a strict opt-in model.
This would involve prompting users for explicit, affirmative consent before installing any browser integrations, limiting installation to supported browsers the user has actively chosen to integrate, and providing a transparent settings menu to manage or revoke these permissions.
Until Anthropic addresses this architectural design flaw, organizations using Claude Desktop on macOS should proactively audit their environments for the com.anthropic.claude_browser_extension.json manifest file to ensure compliance with internal security and data protection policies.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
