Security Alert: Critical “MaXSS” and “Spyder” Vulnerabilities Compromise Millions of AI-Powered Chrome Extension Users

A series of high-severity security flaws has been identified in widely deployed Chrome extensions, potentially exposing millions of users to full browser compromise. These vulnerabilities transform convenient, AI-driven productivity tools into potent attack vectors, allowing malicious actors to bypass traditional security boundaries.

The vulnerabilities, documented as “MaXSS” and “Spyder,” specifically impact the popular AI assistants SiderAI and MaxAI. With a combined install base exceeding 10 million users across Chrome and other Chromium-based browsers, the scale of this exposure is significant.

The Architecture of Risk: Agentic Side Panels

These extensions belong to an emerging class of software known as “agentic side panels.” Unlike traditional extensions that perform simple tasks, these tools are designed to act as autonomous agents—summarizing web content, providing contextual assistance, and performing automated actions across different web applications. To function effectively, they require deep integration into the user’s web sessions and elevated browser permissions.

The core security failure stems from a lack of robust isolation and inadequate input validation. In the Chrome Extension architecture, “content scripts” serve as the bridge between untrusted web pages and the privileged “background service workers.” While this separation is intended to act as a sandbox, both SiderAI and MaxAI failed to sanitize the data passing through this bridge.

MaXSS: Privilege Escalation via Message Passing

The MaXSS vulnerability found in MaxAI exploits the communication channel between a website and the extension. An attacker-controlled website can send specially crafted, malicious messages to the extension’s content script. Because the extension fails to validate the origin or the payload of these messages, it blindly forwards them to the privileged background process.

This effectively allows an attacker to “proxy” commands through the extension to execute high-privilege actions. Researchers at Rebora demonstrated that this flaw allows attackers to open hidden tabs, capture screenshots of sensitive interfaces (such as Gmail or Google Calendar), and even hijack sessions with AI platforms like ChatGPT or Claude to exfiltrate personal data.

Spyder: Simulated User Interaction and Data Exfiltration

The Spyder vulnerability in SiderAI operates on a similar principle but focuses on event simulation. By triggering artificial DOM events, a malicious webpage can trick the extension into believing a user has performed a specific action. This allows an attacker to force the extension to type prompts, click buttons, or interact with the AI’s internal logic.

In proof-of-concept testing, researchers successfully demonstrated how an attacker could gain access to a victim’s AI account, generate sensitive responses, and leak that information via attacker-controlled links. Because these actions are performed by the extension itself, they appear as legitimate, authenticated user activity to the service provider.

Impact and Remediation

The most alarming aspect of these flaws is the lack of required user interaction. A victim only needs to visit a compromised website for the exploit to trigger. Due to the broad permissions these extensions hold, an attacker could potentially access:

• Private emails and documents.
• Authentication tokens and session cookies.
• Sensitive AI chat histories.
• Local file systems (in specific configurations).

As of the current report, the vendors have not addressed the responsible disclosure, leaving users in a vulnerable state. While Google has been notified, a widespread patch is not yet confirmed.

Immediate Recommendations:

• Individual Users: If you have SiderAI or MaxAI installed, it is strongly recommended that you remove them immediately until a verified security patch is released.
• Enterprise Administrators: Implement strict extension allow-lists, monitor for unauthorized browser extensions, and enforce the principle of least privilege regarding third-party tool permissions.

This incident serves as a critical warning: as AI agents gain more control over our digital workflows, the browser becomes an increasingly complex and fragile attack surface that requires rigorous security scrutiny.