Google’s push to embed AI everywhere just created a new class of security risk. A high-severity vulnerability in Chrome’s Gemini integration allowed malicious browser extensions to hijack the AI panel’s access to cameras, microphones, and local files - with no user interaction required beyond opening the panel.
The flaw, tracked as CVE-2026-0628, was patched in January but publicly disclosed this week by Palo Alto Networks’ Unit 42 research team. It affects all Chrome versions prior to 143.0.7499.192 on Linux and 143.0.7499.193 on Windows and Mac.
The Attack: How a Fake Ad-Blocker Could Watch You
The vulnerability exploited a fundamental gap in how Chrome protected its new “Gemini Live” panel. When Google integrated Gemini directly into Chrome, they gave the AI assistant powerful capabilities: camera access, microphone control, local file reading, and screenshot capture. These permissions were supposed to be isolated from the extension ecosystem.
They weren’t.
Security researcher Gal Weizman at Unit 42 discovered that extensions using the declarativeNetRequest API - the same API legitimately used by ad-blockers - could intercept and modify requests to gemini.google.com/app. When the Gemini panel loaded this content, attackers could inject arbitrary JavaScript that executed with the panel’s elevated privileges.
The attack chain was disturbingly simple:
- User installs what looks like a productivity tool or ad-blocker
- Extension intercepts traffic to Gemini’s web app
- Malicious JavaScript gets injected into the privileged Gemini panel
- Attacker gains access to camera, microphone, files, and screenshots
“Intercepting and injecting JavaScript code into the Gemini web app when loaded via an ordinary tab is trivial and doesn’t grant access to special powers,” Weizman explained. “However, when the Gemini app is loaded within this new panel component, Chrome hooks it with access to powerful capabilities.”
The Root Cause: A Missing Entry on a Blocklist
The technical failure was almost embarrassingly simple. Chrome maintains a blocklist that prevents extensions from intercepting privileged browser components. The team forgot to add the chrome://glic WebView to that blocklist.
This oversight meant any extension with basic network interception permissions could target the most privileged AI component in the browser. No special permissions required. No user warnings displayed.
The vulnerability scored 8.8 on the CVSS severity scale - high enough that enterprise security teams should treat unpatched Chrome installations as compromised.
What Attackers Could Access
A successful exploit gave attackers the full range of Gemini’s capabilities:
- Camera activation: Silent video recording without the usual permission prompt
- Microphone access: Audio capture with no indicator light in some configurations
- Local file reading: Access to files and directories the user has permitted Gemini to access
- Screenshot capture: Images of any HTTPS website open in the browser
- Phishing through trust: Attacks executed through Chrome’s own UI, bypassing user suspicion
The attack needed no clicks beyond opening the Gemini side panel - something many users do habitually. Once compromised, the extension could maintain persistent access as long as it remained installed.
Timeline and Response
Weizman responsibly disclosed the vulnerability to Google on October 23, 2025. Google released a patch in early January 2026 with Chrome version 143. The public disclosure came on March 2, 2026, after sufficient time for users to update.
Google fixed the vulnerability by properly isolating the Gemini panel from extension interference, restoring the security boundary that should have existed from the start.
The Broader Problem: AI Integration Expanding Attack Surfaces
This vulnerability illustrates a pattern we’ve warned about repeatedly: every AI integration creates new attack surface. Browser-based AI assistants with system-level permissions are particularly dangerous because they combine:
- Powerful capabilities that users grant to the AI
- Trust inheritance where users assume browser chrome is secure
- Extension ecosystems with millions of add-ons of varying quality
- Rapid deployment that outpaces security review
Google isn’t alone here. Microsoft’s Copilot integration in Edge, Apple’s Intelligence features, and countless third-party AI browser extensions all face similar architectural challenges. The race to embed AI everywhere creates pressure to ship fast and patch later.
What You Should Do
Check your Chrome version: Go to chrome://settings/help and verify you’re running 143.0.7499.192 (Linux) or 143.0.7499.193 (Windows/Mac) or later. Chrome should auto-update, but verify anyway.
Audit your extensions: Remove any extensions you don’t recognize or no longer use. The fewer extensions you run, the smaller your attack surface.
Review extension permissions: Extensions using declarativeNetRequest aren’t inherently malicious, but they have more power than many users realize. Be selective about what you install.
Consider Gemini’s permissions: If you’ve granted Gemini access to your camera, microphone, or files, understand that any browser vulnerability could expose those resources. Grant AI assistants only the permissions you actually need.
Use a separate browser profile: For sensitive activities (banking, medical records, work accounts), consider a separate Chrome profile with no extensions installed.
The Lesson
Google built an AI assistant with access to your camera, microphone, and files, then failed to properly isolate it from the extension ecosystem they’ve spent two decades building. The vulnerability was simple, the fix was simple, and it still shipped to billions of users.
This is what happens when AI integration moves faster than security architecture. Every capability you grant to AI assistants becomes a capability that attackers can potentially hijack. The question isn’t whether there will be more vulnerabilities like this - it’s whether browser vendors will learn to treat AI integrations as the high-risk attack surfaces they are.
For now, update Chrome and audit your extensions. Your camera might be watching you even when you think it’s not.