Artificial Intelligence

Vulnerability Allowed Hijacking Chrome’s Gemini Live AI Assistant

Malicious extensions could hijack the Gemini Live in Chrome feature to spy on users and steal their files.

Chrome security

A vulnerability in Chrome could have allowed malicious extensions to hijack the browser’s AI assistant to spy on users and exfiltrate data, Palo Alto Networks reports.

Chrome’s side panel AI assistant, called Gemini Live, was designed to help users by summarizing content in real time, automatically executing specific tasks, and aiding with the contextual understanding of the active webpage.

“By granting the AI direct, privileged access to the browsing environment, AI browsers are capable of performing complex, multi-step operations that were previously impossible or required several extensions and manual steps,” Palo Alto Networks explains.

To function as intended, the AI essentially sees what the user sees on the screen and uses the web page for context and instructions, and this expanded capability and privileged access open the door to new risks.

The vulnerability that Palo Alto Networks uncovered, tracked as CVE-2026-0628 and patched in January in Chrome 143, could have allowed malicious browser extensions to inject JavaScript code into the Gemini Live panel.

The malicious extension, the cybersecurity firm explains, would require access to a permission set through the declarativeNetRequests API, which allows extensions to intercept and alter HTTPS web requests and responses.

Advertisement. Scroll to continue reading.

The capability is meant for legitimate purposes, such as blocking malicious or intrusive requests, and is enabled by default for extensions to interact with content originating from Gemini and loaded in the website’s tab.

CVE-2026-0628, Palo Alto Networks says, impacted the ability to interact with the contents loaded within the Gemini panel, meaning that JavaScript code would gain access to the AI’s capabilities.

“These include being able to read local files, take screenshots, access the camera and microphone and more, so the app could perform complex tasks. Being able to intercept it under that setting would have allowed attackers to gain access to these powers too,” Palo Alto Networks explains.

Because the Gemini Live panel is a component of the browser itself, an attacker could have injected code to start the camera and microphone without user consent, to access local files, to take screenshots of browser tabs, and to hijack the panel and perform a phishing attack.

“Since the Gemini app relies on performing actions for legitimate purposes, hijacking the Gemini panel allows privileged access to system resources that an extension would not normally have,” Palo Alto Networks explains.

The cybersecurity firm reported the bug to Google in October. A fix was rolled out in Chrome versions 143.0.7499.192/.193 for Windows and macOS, and Chrome version 143.0.7499.192 for Linux.

Related: Google Working Towards Quantum-Safe Chrome HTTPS Certificates

Related: PromptSpy Android Malware Abuses Gemini AI at Runtime for Persistence

Related: Over 300 Malicious Chrome Extensions Caught Leaking or Stealing User Data

Related: Chrome, Edge Extensions Caught Stealing ChatGPT Sessions

Related Content

Vulnerabilities

The critical-severity security defect allows remote, authenticated attackers to execute arbitrary code on the server.

Artificial Intelligence

AI infrastructure introduces new security risks that traditional data center designs were never built to handle.

Vulnerabilities

The flaws could allow attackers to access credentials and data, take over accounts, and escalate their privileges.

Endpoint Security

The cybersecurity companies patched critical and high-severity vulnerabilities in some of their products.

Artificial Intelligence

An attacker can create a malicious repository containing a git.exe in the project root, and Cursor executes it automatically.

Vulnerabilities

A critical security defect in the ServiceNow AI platform could allow remote attackers to execute arbitrary code.

Artificial Intelligence

The new program stems from an AI-focused Executive Order signed by President Trump on June 2.

Vulnerabilities

Public exploit code targeting the Firefox flaws exists, but no in-the-wild exploitation has been observed.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version