Claude Desktop Pre-Authorizes Browser Extensions Users Never Installed
Alexander Hanff, a privacy consultant and occasional contributor to The Register, discovered that Claude Desktop installs a Native Messaging manifest file called com.anthropic.claude_browser_extension.json on users’ systems without disclosure or permission. This file pre-authorizes three different Chrome extension identifiers, including the Claude in Chrome extension, enabling those extensions to run automatically if the associated browsers are installed in the future, even if the user never chooses to add them.
The manifest file operates as a bridge between Chromium-based browsers and a local executable. According to Hanff’s blog post, the installation happens silently and targets browsers not yet present on the device. Hanff states he never installed any Anthropic browser extensions due to privacy concerns, yet Claude Desktop installed the configuration for him automatically.
Potential Violation of European Privacy Law
Hanff contends this practice breaches Article 5(3) of Directive 2002/58/EC, the ePrivacy Directive, which requires service providers to obtain explicit consent before accessing a person’s data unless access is strictly necessary. The directive mandates clear disclosure of data access requests.
One app modifying another vendor’s application without consent violates fundamental trust boundaries. Native Messaging, the API Claude Desktop leverages, allows communication between Chrome and external applications, but Anthropic’s implementation bypasses standard user authorization flows.
Security Risks Beyond Legal Compliance
The Claude in Chrome extension has authenticated session access and can read web pages, fill forms, and capture screenshots. Critically, the binary bridge application runs outside the browser’s sandbox at user privilege level, bypassing browser security restrictions without surfacing permission prompts.
Anthropic’s own safety data shows Claude for Chrome is vulnerable to prompt injection attacks at a 23.6 percent success rate without mitigations and 11.2 percent with current protections. A successful prompt injection could exploit the pre-installed bridge to gain local system access beyond the browser sandbox.
Industry Experts Weigh In on Regulatory Risk
Noah M. Kenney, founder of advisory firm Digital 520, validates Hanff’s technical findings but disputes the “spyware” label. Kenney notes the behavior is reproducible and verifiable through OS-level logs and the application’s own records, making the core technical claim difficult to dispute.
Regarding legal implications, Kenney emphasizes that European regulators interpret “strictly necessary” narrowly. Silently installing cross-application integrations into browsers the user has not opted into likely falls outside regulatory exemptions and carries credible enforcement risk. He also highlights that the design breaks widely understood trust boundaries users expect: desktop applications should not silently modify other applications without explicit opt-in and clear persistent controls.
What Anthropic Has Yet to Address
Anthropic did not respond to requests for comment. Hanff has not filed a formal complaint but intends to do so if the company fails to fix the installation process. Additionally, an unfixed bug on GitHub reveals that Claude Desktop and Claude Code Native Messaging host registrations conflict, causing the associated Chrome extension to fail.
Beyond legal ramifications, Kenney warns of substantial reputational damage for a company perceived as safety-conscious releasing tools that undercut that positioning. The silent system modification pattern is exactly what European regulators increasingly scrutinize.
Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates
