Anthropic silently installed a spyware bridge on my machine:
I was working on a personal project, debugging a Native Messaging helper I had written for it. In the process I needed to check what Brave Browser had registered on my laptop. What I found was a file I had never put there. It was not mine. I had not installed it. I had not authorised it. I had not even been told about it.
It was from Anthropic.
The file sits at this path on my MacBook:
~/Library/Application Support/BraveSoftware/Brave-Browser/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
And its contents are this:
{
"name": "com.anthropic.claude_browser_extension",
"description": "Claude Browser Extension Native Host",
"path": "/Applications/Claude.app/Contents/Helpers/chrome-native-host",
"type": "stdio",
"allowed_origins": [
"chrome-extension://dihbgbndebgnbjfmelmegjepbnkhlgni/",
"chrome-extension://fcoeoabgfenejglbffodgkkbkcdhcgfn/",
"chrome-extension://dngcpimnedloihjnnfngkgjoidhnaolf/"
]
}For the non-technical reader, this is a Native Messaging manifest. It is the document a Chromium-based browser consults when a browser extension wants to call an executable on the local machine. Native Messaging hosts run outside the browser sandbox, at the same privilege level as the user. If a browser extension with one of the three IDs listed above reaches my Brave install, Brave is pre-authorised to spawn the binary at /Applications/Claude.app/Contents/Helpers/chrome-native-host on my laptop with my access permissions.
I did not install any Anthropic browser extension. I have never installed a Claude browser extension due to privacy and security concerns. I did install Claude Desktop, the Mac app, a while back. That is the only thing on this machine which could have written the file. Claude Desktop reached into Brave, a browser from a completely separate vendor, and registered a back door for a browser extension I do not have.
One clarification before I continue, because the Anthropic ecosystem has two products whose names blur together. This article is about Claude Desktop, the Electron-based macOS application with bundle identifier com.anthropic.claudefordesktop, distributed as Claude.app. It is not about Claude Code, Anthropic's command line developer tool. Claude Code has its own, separately documented, Native Messaging bridge with the filename com.anthropic.claude_code_browser_extension.json. The bridge this article is about is installed under a different filename, com.anthropic.claude_browser_extension.json, by a different product, under a different internal subsystem, and is entirely undocumented by Anthropic. The two bridges coexist. This article concerns the undocumented one.
At rest, the bridge does nothing. The binary does not run until a browser extension with one of the three listed IDs calls it. So on my machine, right now, nothing is happening. That is the one argument Anthropic will try to hide behind. Let me cut through it in advance.
When the paired extension is present and the bridge is activated, it exposes browser automation capabilities to whatever agentic process Claude is running. Anthropic describe those capabilities in their own public documentation. [...]
That is explicit authenticated session access, DOM state read, form filling, and screen capture, described by Anthropic on their own documentation site. If I have my bank open in a tab, the bridge's documented capabilities include reading it as me. If I have Tax, or my Health portal, or a client's Slack, or an admin console to production infrastructure, the documented capabilities include acting as me there.
The bridge runs outside the browser's sandbox at user privilege level, and Native Messaging hosts do not surface in any standard macOS process or permission UI, they are invoked by the browser and communicate over stdio.
This is the capability that Anthropic pre-stages on my laptop the moment I install their desktop application. Without telling me. Without asking me. Without offering me the chance to say no.
TFA says folders were also created for other browsers that weren't installed, so if any of those browsers were later installed, this would be active from the start. Apart from whether Anthropic needs this to function, looking at it from a higher level, the fact that you can do this sounds to be like a horrible security loophole that can be easily exploited.
(Score: 4, Funny) by JoeMerchant on Tuesday May 05, @01:43AM
Hey Mythos,
Scan my browser install for security vulnerabilities...
🌻🌻🌻🌻 [google.com]
(Score: 5, Informative) by MrNerdHair on Tuesday May 05, @02:49AM (3 children)
All the capabilities OP is worried about are provided by the browser extension, not the native messaging bridge. It's only there to allow the extension to talk to the software on the local computer, so that software can ask the extension nicely to please do things. It's unequivocally not a back door: there are a ton of other ways for an app on your computer to talk to a cooperating browser extension, and they're all less secure and less performant.
Don't want code on your machine that can let AI drive your browser? Don't install the extension. That's where the scary things are.
(Score: 2, Touché) by Runaway1956 on Tuesday May 05, @04:08AM (1 child)
I have little idea if the author is full of shit or not, but he states clearly that he did NOT install the browser extension. Maybe he installed it and forgot about it? I really don't know. All we have to go on here, is what the author wrote.
We're gonna be able to vacation in Gaza, Cuba, Venezuela, Iran and maybe Minnesota soon. Incredible times.
(Score: 2) by JoeMerchant on Tuesday May 05, @11:37AM
I'm going to guess that the author installed the extension in a way that they did not expect to be installing a browser extension, quite probably through some "click here for more information" disclosure that they did not read.
🌻🌻🌻🌻 [google.com]
(Score: 4, Interesting) by JoeMerchant on Tuesday May 05, @11:42AM
Anthropic is scary.
The extension id signatures in the "mystery file" are scary.
The agenda is to drive fear and loathing around AI, rational explanations will be labeled company shill flak.
🌻🌻🌻🌻 [google.com]
(Score: 3, Informative) by Mojibake Tengu on Tuesday May 05, @04:47AM (1 child)
Ehm...
This is Claude for Chrome component. Probably some kind of page annotator. People complaint oauth problems and breakage of other chrome-derived browsers. Poorly made I guess.
This is part of Claude in Chrome too. Browser Automation tool. Badly interferes with Claude Desktop native messaging host.
Well. It's an infiltrator, for real.
Dear children, you are holding it wrong...
Rust programming language offends both my Intelligence and my Spirit.
(Score: 2) by JoeMerchant on Tuesday May 05, @11:45AM
>Poorly made I guess.
Move faster, break more things.
Over 90% of the Claude code "suite" is written using Claude code.
It looks like SkyNet 1.0 will be buggy.
🌻🌻🌻🌻 [google.com]
(Score: 5, Informative) by jb on Tuesday May 05, @08:31AM (1 child)
All those LLMs are spyware to begin with. Did you really think Anthropic (or any of the other LLM hypemongers) were not storing, analysing and monetising however they can all the prompts their users enter? What a great way to build a dossier on anyone gullible enough to fall for it.
(Score: 3, Touché) by JoeMerchant on Tuesday May 05, @11:50AM
You know what fascists don't need? Proof.
You are being profiled. When 99% of the population has a deep dossier and a few "clever ones" avoid being profiled, the lack of a deep profile is itself a profile.
You know how "they" feel about the clever ones.
🌻🌻🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Tuesday May 05, @03:00PM
It will just erase your disk, like it did to those other guys.