Chrome Extension Uses AI Engine to Act Without User Input

Posted on by

AI agents are projected to revolutionize the AI online experience, performing tasks and chores we’ve asked them to do in the background while we’re doing something more productive or enjoyable.

However, it has recently been proven that AI agent infrastructure could be used to perform unsolicited actions on our behalf. 

A group of security researchers at ExtensionTotal has found a suspicious Google Chrome extension that can perform actions without requiring any permission from the user or being spotted by Chrome’s security measures.

They shared their findings in a Medium article published on April 24.

Model Context Protocol, the Engine Behind AI Agents

The suspicious Chrome extension communicated with a Model Context Protocol (MCP) server running on the local machine.

MCP is an open standard introduced in November 2024 by Anthropic, the maker of several generative AI models and the AI chatbot Claude.

MPC servers are used to manage and leverage contextual information within a model’s operation.

The MCP architecture consists of an MCP host running locally and several MCP servers. The host, which acts as the agent, can be an AI-powered application (e.g. Claude Desktop), the large language model you’re running on your device or an integrated development environment (IDE) like Microsoft’s Visual Studio.

This host connects to various MCP Servers, each providing access to a different tool or resource. The MCP Servers can be categorized into two types: those that access local resources, such as a file system or database on the host computer, and those that interact with remote resources, including application programming interfaces (APIs) or cloud services available over the internet.

All communication between the host and servers happens over the standardized MCP Protocol, which ensures compatibility and structured responses.

Edwin Lisowski, co-founder of AI consulting firm Addepto, summarized the benefits of the MCP architecture in a Medium article.

“Before MCP, each action required a unique API, custom logic, and developer time to glue it all together. With MCP, it’s plug-and-play. Agents can send structured requests to any MCP-compatible tool, get results back in real time, and even chain multiple tools together — without needing to know the specifics ahead of time,” he said.

“In short: MCP replaces one-off hacks with a unified, real-time protocol built for autonomous agents,” he added.

Although alternative AI agent orchestration models have since been launched, such as LangChain’s LangGraph, MCP seems to be the most commonly used open source model today.

MCP, Insecure By Default

While monitoring browser extension activity, the ExtensionTotal detection engine found a Chrome extension communicating with a local service implementing the Model Context Protocol – an MCP host.

Although the extension itself showed no signs of malicious behavior, this discovery raised an immediate concern for one reason: MCP servers communicate with local MCP hosts via HTTP POST requests using Server-Sent Events (SSE), a server-push technology.

This means MCP servers are generally open by default, making it accessible from processes running on the same machine, such as a Chrome extension, to send requests.

“If a browser extension can talk to an MCP server running on the user’s machine, what’s stopping it from accessing sensitive resources or executing privileged actions through the MCP?” asked Yuval Ronen, the report’s primary author.

“If there’s a vulnerable MCP server running on a host machine, that’s it. We’ve already found vulnerable MCP servers tied to services like filesystem access, Slack, WhatsApp, and more. This isn’t just a theoretical risk anymore, it’s real, and the impact could be devastating,” he added.

Bypassing Google Chrome’s Sandbox

Despite their fears, the ExtensionTotal researchers assumed that Google Chrome’s security measures, especially Chrome’s sandboxing capabilities, would block the browser extension from accessing the MCP host.

To verify this assumption, they built a proof-of-concept (PoC) extension attempting to connect to localhost:3001 – a commonly used port for local SSE-based MCP servers.

Their conclusion was that the extension had unrestricted access to the MCP server’s tools even without authentication and was interacting with the file system as if it were a core part of the server’s exposed capabilities.

In theory, Chrome extensions, despite having more capabilities than regular web pages, are still subject to the browser’s sandboxing principles. They should operate in isolation from the operating system and local resources, unless they have been explicitly granted permission to access them.

“However, unrestricted access to localhost breaks that isolation barrier, enabling unexpected interaction with both the local machine and the broader organizational environment — especially through exposed services like local MCP servers,” Ronen wrote.

“And when these MCP servers expose access to tools like the filesystem, Slack, or WhatsApp without enforcing authentication, the stakes skyrocket from a theoretical concern to an enterprise-wide threat. For security teams, this is not just a new vector, it’s an entirely new attack surface, and one that is dangerously underestimated,” he concluded.