Anthropic’s Claude Desktop app for Mac silently drops a configuration file into Brave and Chrome browser directories. This file registers a native messaging host, allowing specific Anthropic browser extensions to run local executables with your full user privileges. No user consent, no disclosure. Security researcher Alexander Hanff discovered it while debugging his own code.
The file lands at ~/Library/Application Support/BraveSoftware/Brave-Browser/NativeMessagingHosts/com.anthropic.claude_browser_extension.json. Claude Desktop wrote it there without asking. Here’s the exact contents:
{
"name": "com.anthropic.claude_browser_extension",
"description": "Claude Browser Extension Native Host",
"path": "/Applications/Claude.app/Contents/Helpers/chrome-native-host",
"type": "stdio",
"allowed_origins": [
"chrome-extension://dihbgbndebgnbjfmelmegjepbnkhlgni/",
"chrome-extension://fcoeoabgfenejglbffodgkkbkcdhcgfn/",
"chrome-extension://dngcpimnedloihjnnfngkgjoidhnaolf/"
]
}Chromium-based browsers like Brave, Chrome, and Edge use Native Messaging to let extensions communicate with native apps outside the browser sandbox. These hosts run at your user permission level, accessing files, clipboard, or system resources. The three extension IDs match Anthropic’s official Claude tools for Chrome, Firefox, and Edge.
Technical Breakdown
Hanff installed only the Claude Desktop app—no browser extensions. Privacy concerns kept those away. Yet Claude reached into Brave’s config folder, a directory owned by the browser, not Anthropic. The app’s helper binary at /Applications/Claude.app/Contents/Helpers/chrome-native-host now stands ready. If you later install a matching extension—or if one slips in via malware—your browser auto-spawns it.
Native Messaging manifests act as pre-authorizations. Browsers check them before launching hosts, blocking unauthorized calls. By planting this file, Claude Desktop creates a backdoor for its extensions across vendors. On macOS, it targets all Chromium installs, including user-specific paths like ~/Library/Application Support/Google/Chrome/NativeMessagingHosts.
Anthropic offers two Claude products: the web/app version and desktop. The ecosystem blurs lines—desktop integrates with browsers for features like screen sharing or context injection. But documentation skips this install. No EULA mention, no install-time prompt.
Risks and Why It Matters
This erodes browser sandbox integrity. Extensions can’t normally escape to run native code without explicit host registration. Claude bypasses that, pre-wiring the bridge. A compromised extension (those IDs have 100,000+ users) could exfiltrate data via the host. Or leverage your keys, files, or crypto wallets— all at user level, no elevation needed.
Privacy hit: The host enables extensions to pipe data to Claude’s local app, potentially scanning tabs or history without clear opt-in. Hanff calls it a “spyware bridge.” Fair point—undisclosed persistence across app uninstalls (file lingers) amplifies concerns.
Anthropic defends such integrations as standard for productivity apps. Electron-based tools like Slack or VS Code touch browser configs too, but usually with warnings. Here, silence reigns. In a post-Log4Shell world, apps modifying competitor turf demands transparency. AI firms like Anthropic push boundaries; Claude’s 1.5B+ parameters and $4B valuation ride user trust.
Fix: Delete the JSON files from browser NativeMessagingHosts dirs. Check Chrome: ~/Library/Application Support/Google/Chrome/NativeMessagingHosts. Edge similarly. Uninstall Claude, but scrub remnants. Demand Anthropic explain—publicly. This matters because AI desktops aim for ubiquity. If leaders like Anthropic normalize stealth installs, expect copycats. Users lose control; browsers become extension battlegrounds.
Broader context: Chromium’s Native Messaging dates to 2013, abused in adware (e.g., 2022 Avast fallout). Regulators eye it—EU DMA probes browser gates. Anthropic, backed by Amazon ($4B) and Google ($2B), should lead on security, not lag. Skeptical take: Legit feature, shady rollout. Verify your setup; trust degrades fast.
