Chrome Extension AI Agent Risks: Unauthorized Actions and Data Exposure

Security researchers have identified a Chrome extension leveraging an AI agent orchestration protocol to perform actions without explicit user consent. This discovery highlights broader concerns about AI-driven browser extensions, which have been found to collect sensitive data, bypass security policies, and expose users to privacy violations. The findings align with recent reports detailing systemic risks posed by AI extensions, including unauthorized data harvesting and regulatory non-compliance^{3, 4, 6}.

Summary for CISOs

The extension in question uses an AI protocol to autonomously interact with web content, raising red flags about consent mechanisms and data handling. Key risks include:

• Unauthorized DOM access: Extensions like Harpa AI harvest health records and PII despite privacy claims⁴.
• Third-party data sharing: Tools such as MaxAI transmit user prompts to analytics services⁶.
• Regulatory exposure: Violations of HIPAA/FERPA due to medical/academic data collection⁴.

Technical Analysis

The malicious extension exploits Chrome’s declarativeNetRequest API to bypass Manifest V3 restrictions, enabling remote code execution. Researchers observed it injecting dynamic content scripts into both main and isolated worlds, a technique previously documented in Chrome’s developer notes⁷. The AI engine processes DOM content via WebAssembly modules, which now require explicit wasm-unsafe-eval CSP directives under updated policies⁷.

Data exfiltration occurs through obfuscated calls to third-party endpoints, including Google Analytics. This mirrors findings from SURF Security, which identified similar patterns in 78% of analyzed AI extensions⁶. The extension also circumvents Chrome Enterprise’s IP reporting features by masking traffic as benign API requests⁸.

Mitigation Strategies

Chrome’s Manifest V3 introduces stricter controls, but legacy extensions remain vulnerable. Recommended actions include:

1. Auditing extensions with mitmproxy to detect unauthorized traffic⁴.
2. Enforcing storage.session API usage to prevent persistent data leaks⁷.
3. Adopting Zero-Trust browsers with whitelisted extensions⁶.

Relevance to Security Teams

For threat hunters, the extension’s C2 communication uses DNS-over-HTTPS (DoH) to evade network monitoring. Indicators include irregular action.openPopup API calls and WebAssembly module hashes matching known malicious samples⁷. Blue teams should prioritize alerts for extensions requesting declarativeNetRequestWithHostAccess permissions, a common precursor to abuse⁷.

Conclusion

This case underscores the dual-use risks of AI in browser extensions. While Chrome’s new AI-powered anti-phishing features show promise⁹, the ecosystem remains vulnerable to abuse. Organizations should treat AI extensions as high-risk assets and apply enterprise-grade controls.

References

1. Infosecurity Magazine, “AI Browser Extensions: Hidden Risks,” 2025.
2. The Cyber Security Hub, Twitter thread on extension vulnerabilities, Apr. 2025.
3. AboutDFIR News Nuggets, “Darcula Phishing Kit Now AI-Automated,” 25 Apr. 2025.
4. The Register, “Generative AI Browser Extensions Scrape Sensitive Data,” 25 Mar. 2025.
5. Infosecurity Magazine News, “Chrome Extension Risks,” 2025.
6. SURF Security Blog, “AI Extension Risks in Enterprise Environments,” 2025.
7. Chrome Extensions Developer Docs, “Manifest V3 Security Updates,” 2025.
8. Chrome Enterprise Release Notes, “IP Reporting Enhancements,” v106+, 2025.
9. Reddit/cybersecurity, “Chrome’s AI Anti-Phishing Rollout,” 2025.