Google Chrome’s AI Panel Turns Into Privilege Escalator for Extensions, Researchers Find

The vulnerability stems from Chrome’s handling of extension‑level network rules that govern how requests to the built‑in Gemini Live side panel are routed. Unit 42 researchers demonstrated that a malicious add‑on with only the standard “webRequest” permission could intercept the HTTP traffic destined for the Gemini panel, inject its own JavaScript, and thereby execute code within the privileged context of the AI feature. Because Gemini Live is granted access to sensitive browser APIs—including `chrome.tabs.captureVisibleTab`, `chrome.fileSystem`, and the media‑capture interfaces that enable webcam and microphone activation—the injected script inherits these capabilities without any additional user consent, effectively bypassing Chrome’s extension sandbox (Palo Alto Networks, The Register).

Google’s remediation arrived in early January with Chrome 143.0.7499.192 and 143.0.7499.193, which patch the request‑handling path that allowed the cross‑origin injection. The update also tightens the separation between extension‑originated network requests and the internal Gemini service, ensuring that only traffic originating from the browser’s own UI components can reach the AI panel. According to The Register, the fix was deployed to the Stable channel before Unit 42’s public disclosure, meaning that any user running a current version is protected against the exploit.

The bug highlights a broader shift in browser threat models as AI assistants become more tightly coupled with core functionality. Gartner has recently warned enterprises to avoid “agentic” browsers, arguing that the deep system hooks required for features like Gemini Live introduce attack surfaces that outweigh productivity gains (The Register). This caution is echoed by recent findings that attackers are already weaponizing generative models in the wild: in February, researchers uncovered Android malware that called Google’s Gemini API at runtime to interpret screenshots and automate on‑device actions, demonstrating a growing appetite for integrating AI into malicious toolchains (The Register).

Historically, Chrome has enforced strict isolation between extensions and the browser’s privileged code, using a combination of manifest‑declared permissions and runtime checks to prevent privilege escalation. The Gemini panel, however, operates as a first‑party component with elevated rights, blurring the line between user‑level extensions and the browser’s internal services. By exploiting a flaw in the network‑rule enforcement layer, the attack chain required only modest permissions and no novel code‑execution techniques, underscoring how a seemingly innocuous integration can undermine long‑standing security guarantees.

For developers and security teams, the incident serves as a reminder to audit any third‑party extensions that request network‑interception capabilities, especially in environments where AI‑enhanced features are enabled. Chrome’s upcoming roadmap includes further compartmentalization of AI services, but until those changes land, the onus remains on users to keep their browsers up to date and to limit the installation of extensions from untrusted sources.