Research

Claude's Browser Extension: The Hidden Channel Between Your Devices

April 2026 · 8 min read

The Claude Browser Extension can navigate pages, read their full content, execute JavaScript, fill forms, and interact with every tab you have open. It holds <all_urls>, scripting, debugger, and tabspermissions and injects a content script into every page, in every frame, at document load. This level of access is necessary for what it does - and it's the kind of access that security teams spend considerable effort controlling.

We discovered that when you use the same Anthropic account on two devices - say, a corporate laptop and a personal machine - the extension on both devices joins the same communication channel. Commands issued on one device can silently execute on the other. The full content of whatever page the other device is viewing flows back to the requesting session, with no prompt or indication to either user.

We reported this to Anthropic. They confirmed this is intended behavior - the cross-device execution and the choice not to enforce device ID validation are by design.

This isn't a theoretical attack. It happened during an internal research session unintendedly, when a browser command meant for one laptop executed on an engineer's machine in the next room.

How It Works

The extension communicates through a WebSocket bridge at bridge.claudeusercontent.com, keyed by the Anthropic account UUID - not the device. Every Chrome instance running the extension on the same account connects to the same room.

wss://bridge.claudeusercontent.com/chrome/{account-uuid}

When Claude Code or Claude Desktop issues a browser command, it travels through Anthropic's cloud to the bridge, which forwards it to the connected extension. Each tool call includes a target_device_id field for routing, but the entire device validation in the extension source is:

const t = e.target_device_id;
if (t && t !== Ia) return;

If target_device_id is present and doesn't match - drop it. If it's missing - execute it. On every connected device.

The device ID itself is a crypto.randomUUID() stored in chrome.storage.local - not cryptographically bound to hardware, not validated server-side.

The Cross-Device Channel

We set up two Chrome instances on the same Anthropic account. Machine A was our test environment (tab IDs in the 710137xxx range, viewport 1280x806). Machine B was a separate browser.

We sent a command from Claude Code on Machine A: “get the browser tab context.” The response came back with tab ID 1138155643 and viewport 1040x584- Machine B's browser. Claude Code accepted it and continued without any indication something was wrong.

We also intercepted the native messaging pipes between Chrome and the native host binary. The local channel carried only four messages per session: ping, pong, get_status, status_response. A health check - nothing else. Every tool call goes through the cloud bridge exclusively. There is no local path.

Why This Matters

The issue isn't account authentication - OAuth tokens are fine for that. The issue is what happens after. The extension's broad browser privileges are shared across every device on the account through a cloud channel with no device-level isolation.

Consider a common setup: a developer uses the same Anthropic account on their work laptop and personal machine.

The work laptop

Behind a corporate VPN, managed by MDM, monitored by endpoint security, subject to DLP policies. Access to internal dashboards, cloud consoles, HR systems.

The personal machine

On home WiFi, maybe hasn't been updated in months, maybe has an infostealer running quietly from something downloaded last quarter.

When a command from the work laptop gets routed to the personal machine, corporate data crosses every one of those boundaries. The internal dashboard's content travels from the corporate network, through Anthropic's cloud, to the personal machine, and back. The company's network controls never see it - the request originated from home WiFi. The company's DLP never catches it - the data moved through a WebSocket to a legitimate cloud service.

Nobody did anything wrong. The user just had two computers with the same account.

If the personal machine is compromised, an attacker with access to the OAuth token (stored in Chrome's extension storage) can sit in the bridge room and receive the content of everything the corporate browser reads.

What the Extension Sees

When Claude reads a page, it extracts the full accessibility tree - every heading, link, form field with current values, buttons, and text content:

{
  "type": "tool_result",
  "content": [{
    "type": "text",
    "text": "heading \"Q4 Revenue Dashboard\" [ref_1]
generic \"Total Revenue: $14.2M (+12% YoY)\" [ref_2]
table [ref_3]
  row \"Enterprise\" \"$8.1M\" \"57%\"
  row \"Mid-Market\" \"$4.3M\" \"30%\"
link \"Export to CSV\" [ref_4]
textbox \"Filter by region\" [ref_5] value=\"EMEA\"
button \"Generate Report\" [ref_6]"
  }]
}

Every response also includes a “Tab Context” listing all open tabs and their URLs - sent with every response, even when the agent is only interacting with one tab:

Tab Context:
- Available tabs:
  - tabId 710138082: "Internal Dashboard" (https://admin.corp.example/)
  - tabId 710138083: "Gmail - Inbox" (https://mail.google.com/...)
  - tabId 710138084: "Salary Review Q4" (https://hr.corp.example/reviews)

The extension injects accessibility-tree.js into every page you visit, in all frames, at document_start. The infrastructure to extract page content is always present - whether or not the agent is actively reading that tab.

The Permission Mode on the Wire

Every tool call includes the active permission mode:

{
  "type": "tool_call",
  "tool": "navigate",
  "permission_mode": "skip_all_permission_checks"
}

The extension trusts whatever permission mode it receives with no server-side enforcement.

How Bay Addresses This

The bridge is invisible to traditional endpoint security. Bay makes it visible and controllable.

The bridge creates a channel that crosses device and network boundaries, controlled by an AI agent, invisible to traditional endpoint security. To a firewall or DLP, it looks like normal HTTPS traffic to a legitimate cloud service.

Bay operates at the agent layer. It knows which AI tools and extensions are running on every endpoint, what permissions they hold, and what actions they're taking. When an agent issues a browser command - navigate to a URL, read a page, execute a script - Bay evaluates the action against policy before it executes. The decision is Allow, Ask, or Deny, applied automatically across every device in the organization.

For the scenario described in this research, that means the cross-device channel is visible and controllable - not silently passing data between environments with different security postures.

Since Anthropic considers this intended behavior, the responsibility falls on organizations to control it at the endpoint.

Do you know which of your employees are using the Claude extension?

Can you distinguish personal from corporate accounts?

Do you have accurate control of any tool or extension - down to the command level - on every device?

Talk to us and get a demo

Research conducted by Bay. All testing performed on our own accounts and infrastructure. Findings were disclosed to Anthropic via their vulnerability disclosure program.