A vulnerability in Chrome could have allowed malicious extensions to hijack the browser’s AI assistant to spy on users and exfiltrate data, Palo Alto Networks reports.
Chrome’s side panel AI assistant, called Gemini Live, was designed to help users by summarizing content in real time, automatically executing specific tasks, and aiding with the contextual understanding of the active webpage.
“By granting the AI direct, privileged access to the browsing environment, AI browsers are capable of performing complex, multi-step operations that were previously impossible or required several extensions and manual steps,” Palo Alto Networks explains.
To function as intended, the AI essentially sees what the user sees on the screen and uses the web page for context and instructions, and this expanded capability and privileged access open the door to new risks.
The vulnerability that Palo Alto Networks uncovered, tracked as CVE-2026-0628 and patched in January in Chrome 143, could have allowed malicious browser extensions to inject JavaScript code into the Gemini Live panel.
The malicious extension, the cybersecurity firm explains, would require access to a permission set through the declarativeNetRequests API, which allows extensions to intercept and alter HTTPS web requests and responses.
The capability is meant for legitimate purposes, such as blocking malicious or intrusive requests, and is enabled by default for extensions to interact with content originating from Gemini and loaded in the website’s tab.
CVE-2026-0628, Palo Alto Networks says, impacted the ability to interact with the contents loaded within the Gemini panel, meaning that JavaScript code would gain access to the AI’s capabilities.
“These include being able to read local files, take screenshots, access the camera and microphone and more, so the app could perform complex tasks. Being able to intercept it under that setting would have allowed attackers to gain access to these powers too,” Palo Alto Networks explains.
Because the Gemini Live panel is a component of the browser itself, an attacker could have injected code to start the camera and microphone without user consent, to access local files, to take screenshots of browser tabs, and to hijack the panel and perform a phishing attack.
“Since the Gemini app relies on performing actions for legitimate purposes, hijacking the Gemini panel allows privileged access to system resources that an extension would not normally have,” Palo Alto Networks explains.
The cybersecurity firm reported the bug to Google in October. A fix was rolled out in Chrome versions 143.0.7499.192/.193 for Windows and macOS, and Chrome version 143.0.7499.192 for Linux.
Related: Google Working Towards Quantum-Safe Chrome HTTPS Certificates
Related: PromptSpy Android Malware Abuses Gemini AI at Runtime for Persistence
Related: Over 300 Malicious Chrome Extensions Caught Leaking or Stealing User Data
Related: Chrome, Edge Extensions Caught Stealing ChatGPT Sessions
