A recent report by Palo Alto Networks has revealed a vulnerability in Chrome that could have potentially allowed malicious extensions to compromise the browser’s AI assistant, Gemini Live. This flaw had the potential to spy on users and extract sensitive data.
Gemini Live’s Advanced Capabilities
Gemini Live is an AI assistant integrated into Chrome’s side panel, designed to enhance user experience by summarizing web content, performing tasks, and understanding the context of active web pages. This AI assistant is capable of executing complex operations due to its direct access to the user’s browsing environment.
The extensive capabilities of Gemini Live, which include viewing the web page as the user does and leveraging contextual instructions, introduced new security risks, as explained by Palo Alto Networks.
Security Flaw Details and Exploitation Risks
The vulnerability, identified as CVE-2026-0628, was discovered and later patched in Chrome version 143. It allowed malicious extensions to inject JavaScript into the Gemini Live panel, potentially granting access to sensitive functions.
To exploit this flaw, an extension would need specific permissions via the declarativeNetRequests API, commonly used for legitimate purposes like blocking harmful requests. This API is enabled by default for interactions with Gemini content, thus posing a risk.
The vulnerability could have led to unauthorized access to local files, screenshots, camera, and microphone, effectively turning Gemini Live into a tool for phishing and unauthorized data access.
Response and Security Measures
Palo Alto Networks reported this critical issue to Google in October. Google responded by releasing a security patch in January, addressing the vulnerability in Chrome versions for Windows, macOS, and Linux.
This incident highlights the importance of continuous security assessments in AI-powered browser components and the need for robust protection against potential exploitation.
The patch ensures that Gemini Live’s powerful functionalities are secure from unauthorized access, maintaining user trust in AI enhancements within browsers.
As AI continues to evolve within web browsers, users can expect ongoing improvements in both capabilities and security measures, ensuring a safer and more efficient browsing experience.
