A critical security flaws in widely used Chrome extensions, exposing millions of users to the risk of full browser compromise.
The vulnerabilities, named “MaXSS” and “Spyder,” affect popular AI-powered extensions SiderAI and MaxAI, which together have more than 10 million installations across Chrome and other Chromium-based browsers. These issues transform these convenience-oriented AI helpers into significant attack vectors for any users who have them installed.
Critical Chrome Extension Vulnerabilities
These extensions belong to a growing category known as agentic side panels, designed to enhance browsing with AI-driven capabilities such as summarization, contextual assistance, and automated actions.
However, their deep integration into web sessions and elevated permissions have introduced severe security risks when implemented without robust isolation and input validation. In practice, this means that untrusted web pages can indirectly gain access to the powerful privileges granted to these extensions.
The root cause of both vulnerabilities lies in insecure handling of communication between web pages and extension content scripts. In Chrome’s extension architecture, content scripts act as intermediaries between untrusted web content and privileged background processes.
While this separation is intended to enforce security boundaries, both SiderAI and MaxAI failed to properly validate input originating from web pages before acting on it or forwarding it to the background component.
The MaXSS vulnerability in MaxAI allows malicious websites to send crafted messages to the extension’s content script, which are then forwarded to the background process without proper validation.
This effectively grants attackers the ability to invoke privileged browser actions. Rebora researchers demonstrated that attackers could open hidden tabs, capture screenshots of sensitive applications such as Gmail and Google Calendar, and even interact with AI platforms like ChatGPT or Claude to extract user data.
Similarly, the Spyder vulnerability in SiderAI enables attackers to simulate user interactions within embedded web contexts. By triggering artificial events, malicious websites can force the extension to perform actions such as typing prompts, clicking buttons, and exfiltrating sensitive data.
In a proof-of-concept, researchers showed how an attacker could access a victim’s AI account, generate sensitive outputs, and leak them via publicly accessible links controlled by the attacker.
The impact of these flaws is significant, as exploitation requires no user interaction beyond visiting a malicious webpage. Given the extensive permissions granted to these extensions, attackers can access emails, documents, authentication tokens, and potentially execute actions on behalf of the user across multiple services.
In some scenarios, researchers also raised concerns about potential access to local files, further increasing the severity for both consumers and enterprises.
Despite responsible disclosure attempts, the vendors did not respond, leaving users exposed at the time of publication. Google has been notified, but no immediate remediation was confirmed.
Security experts warn that this incident highlights a broader issue with AI-integrated software, particularly browser extensions that operate with high privileges. As adoption of AI-driven tools accelerates, the browser endpoint is becoming an increasingly attractive and fragile attack surface.
Users are strongly advised to review installed extensions and remove SiderAI and MaxAI if present, while organizations should enforce stricter extension policies, monitor browser-based threats, and limit permissions granted to third-party tools to reduce exposure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
