Unseen Access: Claude Desktop Bypasses macOS Sandboxing with Native Messaging Bridge
In a troubling revelation for macOS users, a technical deep dive published on April 18, 2026, by privacy researcher Alexander Hanff, has exposed a significant architectural vulnerability in Anthropic’s Claude Desktop application. The report details how the application silently deploys a Native Messaging bridge across a wide array of Chromium-based web browsers without explicit user intervention or affirmative consent.
By establishing these out-of-sandbox automation hooks, Claude Desktop effectively bypasses the standard security boundaries designed to isolate web browsing activity from local system processes. This unprompted installation creates a persistent bridge between the browser and the local machine, fundamentally altering the user’s threat model.
The crux of the vulnerability lies in the unauthorized injection of a specific manifest file: com.anthropic.claude_browser_extension.json. Hanff discovered this configuration file while debugging a separate project on his MacBook, noting that the Claude Desktop app had programmatically written this manifest into the application support directories of seven distinct browsers: Google Chrome, Brave, Microsoft Edge, Chromium, Arc, Vivaldi, and Opera.
Perhaps most concerning is the “aggressive” nature of the deployment. The application attempts to install these configurations even for browsers that are not installed on the host machine, and for those that Anthropic’s own documentation lists as unsupported. Furthermore, the installation is self-healing; every time Claude Desktop is launched, it rewrites these files, rendering simple manual deletion ineffective unless the entire application is uninstalled.
The Mechanics of the “Backdoor”: Native Messaging Exploitation
From a technical standpoint, the Native Messaging bridge functions as a pre-authorized pathway for browser extensions to communicate with local software. The manifest allows three specific Chrome extension IDs to spawn a local executable—named chrome-native-host—located deep within the Claude.app bundle.
While Native Messaging is a legitimate Chrome API, its implementation here is highly invasive. Because the chrome-native-host executable runs outside the browser’s restrictive sandbox, it operates with full user-level privileges on the macOS filesystem.
Expanded Attack Surface and Agentic Risks
The implications of this bridge extend far beyond simple data synchronization. When paired with an active extension, this bridge grants Claude exceptionally high-privilege automation capabilities, including:
- Full DOM Access: Reading the complete structure and content of any webpage.
- Session Hijacking Capabilities: Sharing authenticated login states to interact with web services as the user.
- Automated Data Extraction: Structured scraping of highly sensitive information.
- Background Interaction: Automated form filling and background screen recording.
This level of access allows an AI agent to interact with mission-critical environments—such as banking portals, healthcare systems, or production infrastructure consoles—acting with the same authority as the logged-in user. This creates a massive risk regarding Prompt Injection attacks. Anthropic’s own safety research indicates that Claude for Chrome maintains an 11.2% success rate for prompt injection despite current mitigations. If an attacker can manipulate a prompt within the browser, they could potentially leverage this pre-installed bridge to jump from a web-based vulnerability to out-of-sandbox code execution on the local Mac.
Regulatory Concerns and Necessary Remediation
Hanff has characterized this behavior as a “dark pattern,” suggesting it may violate the EU ePrivacy Directive (Directive 2002/58/EC) and various international computer misuse laws. The core issue is the deployment of “dormant capability”—security hooks that exist on a system without the user’s knowledge, waiting to be activated.
To align with industry best practices and restore user trust, cybersecurity advocates suggest Anthropic must transition to a strict opt-in architecture. This should include:
- Explicit Consent: Mandatory, transparent prompts before any browser integration is attempted.
- Selective Targeting: Limiting installation only to the specific, supported browsers chosen by the user.
- Granular Management: A visible settings menu within Claude Desktop to audit and revoke browser permissions at any time.
Recommendation for IT Administrators: Until a formal architectural update is released, organizations utilizing Claude Desktop on macOS should perform audits of user workstations. Search for the presence of the com.anthropic.claude_browser_extension.json manifest file to ensure compliance with internal data protection and endpoint security policies.