Claude Desktop reportedly adds a browser access bridge to Chromium-based browsers on macOS
6 min. read 
Published on
Anthropic’s Claude Desktop for macOS is facing scrutiny after privacy researcher Alexander Hanff said the app installs a Native Messaging bridge into multiple Chromium-based browser support directories without asking for clear user permission. Native Messaging is a legitimate browser feature, but it lets an approved browser extension talk to a local program outside the browser sandbox.
Hanff’s findings, later summarized by Malwarebytes and The Register, say Claude Desktop drops a manifest file named com.anthropic.claude_browser_extension.json into directories tied to browsers such as Chrome, Edge, Brave, Arc, Vivaldi, Opera, and Chromium. The reports say this can happen even when some of those browsers are not installed yet, and that Claude Desktop recreates the manifest when the app launches.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The key point is not that the bridge acts on its own. The risk comes from pre-positioning a local helper that approved extensions can call later. Anthropic’s own Chrome integration docs describe capabilities such as reading DOM state, sharing browser login state, filling forms, extracting data from pages, and automating browser actions in a visible window.
What the bridge does and why it matters
Chromium’s Native Messaging system allows browser extensions to communicate with native applications through a manifest file that points to a local executable. Chrome’s security model treats this as a standard feature, but the native host runs with the user’s privileges rather than inside the browser sandbox. That is why researchers describe it as a meaningful expansion of the local attack surface.
According to the reporting, the Claude Desktop manifest preauthorizes three Chrome extension IDs to talk to a helper binary inside the Claude app bundle. Malwarebytes notes that the bridge appears dormant unless one of those allowed extensions is present, but says the setup still broadens what a compromised or malicious extension update could potentially do on a user’s machine.
Anthropic’s documentation confirms that Chrome integration exists and is designed to let Claude Code interact with Google Chrome and Microsoft Edge for browser automation. The company says the feature can use the browser’s existing login state and interact with websites the user is already signed into, which helps explain why researchers see the local bridge as sensitive from both a privacy and security standpoint.
What is confirmed and what is still unclear
What is confirmed is that Anthropic publicly documents Chrome integration for Claude Code and describes browser automation features that depend on an extension-based connection. What remains less clear is why Claude Desktop reportedly installs bridge files across several Chromium-family paths by default, and whether Anthropic plans to add a clearer opt-in flow or a visible control inside Claude Desktop itself.
Malwarebytes said it could not find an official public rebuttal from Anthropic when it reviewed Hanff’s claims on April 22. I also did not find a public Anthropic statement in the sources reviewed here that directly disputes the reported file placement behavior on macOS. That is why “reportedly” remains the right framing.
The broader concern is consent and scope. The Register’s coverage highlights Hanff’s argument that one application should not silently modify support directories for other software, especially when the bridge could later enable access to session data, page content, and browser-driven actions through approved extensions.
At a glance
| Item | What the current reporting shows |
|---|---|
| App in question | Claude Desktop for macOS |
| Reported behavior | Installs a Native Messaging manifest in multiple Chromium-family browser paths |
| Browsers named in reports | Chrome, Edge, Brave, Arc, Vivaldi, Opera, Chromium |
| Documented Anthropic feature | Chrome integration for browser automation |
| Supported browsers in Anthropic docs | Google Chrome and Microsoft Edge |
| Main concern | Silent expansion of attack surface and browser-to-local-app trust |
| Public Anthropic rebuttal found in reviewed sources | None |
Why security teams may care
This issue matters most in environments where browser extensions, developer tooling, and local AI agents overlap. If a trusted extension channel were ever compromised through an account takeover, a supply chain issue, or a malicious update, a preinstalled native host could create a more direct path from browser context to local execution. Malwarebytes explicitly says the bridge does nothing by itself, but also says it could potentially be abused.
The privacy angle is just as important. Anthropic’s browser automation docs describe workflows that can access signed-in sites, inspect page state, extract data, and automate form interactions. In practice, that means the bridge sits close to high-value information such as webmail, documents, dashboards, and financial portals if the matching extension is active and permissions allow it.
For enterprise defenders, the immediate lesson is visibility. Tools that write manifests into browser support paths or establish native hosts should be easy to audit, easy to disable, and clearly disclosed to users. That is especially true when the software crosses boundaries between a desktop app and browsers from other vendors.
What users can do now
- Check Chromium browser support directories on macOS for
com.anthropic.claude_browser_extension.jsonif you want to verify whether the bridge exists on your system. The file name appears in multiple reports. - Review installed Claude-related browser extensions and remove ones you do not use. The native host needs a matching extension relationship to become useful.
- Limit browser extension permissions, especially on sensitive sites such as banking, email, and admin panels. Anthropic’s docs say site permissions are managed through the Chrome extension settings.
- Watch for future Anthropic updates or documentation changes that clarify consent, scope, and disable controls for this integration.
FAQ
Anthropic documents Chrome integration and browser automation features, but in the sources reviewed here I did not find a public statement directly addressing Hanff’s specific claim that Claude Desktop places Native Messaging manifests across multiple Chromium-browser paths on macOS.
No reviewed source makes that conclusion as a settled fact. Malwarebytes says Native Messaging is a standard Chromium feature and that the host does nothing on its own, but it also says the setup expands the machine’s attack surface.
Anthropic’s current Chrome integration docs say the beta feature works with Google Chrome and Microsoft Edge, and says it is not yet supported on Brave, Arc, or other Chromium-based browsers. That makes the wider file placement reported by Hanff notable.
Because the bridge can connect browser extensions with a local executable outside the browser sandbox, and Anthropic’s own docs describe access to login state, DOM data, and browser actions. Researchers argue that such an integration should be clearly disclosed and enabled only with explicit user choice.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages