Chrome security flaw enabled spying via Gemini Live assistant

A Google Chrome vulnerability lets malicious extensions hijack Gemini Live to spy on users and steal sensitive files.

Researchers at Palo Alto Networks found a Chrome vulnerability, tracked as CVE-2026-0628, that could let malicious extensions take control of the Gemini Live AI assistant. By abusing the flaw, attackers could spy on users and exfiltrate sensitive files through the browser, highlighting the risks posed by overly permissive extension access.

“We uncovered a High severity security vulnerability CVE-2026-0628 in Google’s implementation of the new Gemini feature in Chrome. This vulnerability allows the attacker to tap into the browser environment and access files on the local operating system.” reads the report published by Palo Alto Networks.

“Specifically, this vulnerability could have allowed malicious extensions with basic permissions to hijack the new Gemini Live in Chrome browser panel.”

Chrome’s side panel AI assistant, Gemini Live, was built to summarize content in real time, execute tasks, and understand webpages in context.

“The terms “agentic browser” or “AI browser” refer to a new class of web browsers that integrate AI assistants. AI browsers include Atlas, Comet, Copilot in Edge and Gemini in Chrome.” continues the report. “At the heart of their offering is an AI side panel assistant capable of real-time content summarization, automated task execution and dynamic assistance for contextual understanding of the active webpage.”

Because it has privileged access to what users see and do in the browser, it can perform complex multi-step actions. However, this deep integration also creates risk. The vulnerability CVE-2026-0628, which was patched in Chrome 143, allowed malicious extensions with declarativeNetRequests permissions to inject JavaScript into the Gemini panel, not just the standard hxxps[:]//gemini.google[.]com/app tab.

While intercepting the site in a normal tab is expected, doing so inside the privileged Gemini panel exposed powerful browser capabilities. Code running there could access local files, screenshots, camera, and microphone, enabling phishing or spying without user consent beyond launching Gemini. Because the panel is a trusted browser component, hijacking it effectively granted attackers elevated privileges beyond those normally available to extensions.

“In our report to Google, we demonstrated how an ordinary extension could hijack the Gemini panel and perform the following activities:

• Hijack the panel into carrying out a phishing attack”
• Start the camera and microphone of the browser without asking for user consent
• Reach local files and directories of the underlying operating system
• Take screenshots of tabs showing any website that serves over HTTPS” continues the report.

Extension-based attacks are often underestimated because users must first install them, but AI-powered browser features raise the stakes. As more malicious or hijacked extensions appear in web stores, the risk grows. In enterprise environments, a rogue extension accessing cameras, microphones, or local files poses serious threats. The Gemini panel flaw was responsibly disclosed to Google on October 23, 2025, and patched in early January 2026.

“While AI browsers or AI features implemented into existing browsers can improve the user experience, it’s important to continue monitoring for potential security flaws.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome)