Claude Desktop's Hidden Browser Backdoor: How Anthropic Pre-Authorizes AI Access Without Asking
Anthropic's Claude Desktop app for macOS drops configuration files into browser directories. It does this silently. Even for browsers users haven't installed.
Privacy consultant Alexander Hanff spotted the files first. He calls them a backdoor. The app creates Native Messaging manifests named across seven Chromium-based browsers: Chrome, Edge, Brave, Arc, Vivaldi, Opera, and plain Chromium. Hanff detailed his audit in a blog post on April 18, 2026. Those manifests pre-authorize three specific extension IDs, including the official Claude in Chrome extension. Any matching extension can then invoke a local binary at full user privileges, bypassing the browser sandbox.
The binary lives at . It's code-signed by Anthropic's Developer ID. Logs in confirm the installs under "Chrome Extension MCP." Claude Desktop rewrites the files every launch. Delete them? They'll reappear.
Hanff tested on a clean machine. Four browsers -- Edge, Arc, Vivaldi, Opera -- weren't present. Claude Desktop created directories for them anyway. "This is a dark pattern," Hanff wrote. "It is also, in my professional opinion, a direct breach of Article 5(3) of Directive 2002/58/EC (the ePrivacy Directive)." He sent Anthropic a cease-and-desist letter demanding opt-in changes within 72 hours. No public reply as of April 23, 2026.
Native Messaging Exposed: The Technical Bridge to AI Control
Native Messaging lets extensions talk to native apps via stdin/stdout. Standard for Chromium. But pre-installing manifests without consent? That's new ground. Once linked, Claude gains eyes and hands in the browser. It reads pages. Fills forms. Captures screens. Pulls data from logged-in sessions -- banking, email, health portals.
Anthropic's own docs tout these powers. "Claude opens new tabs for browser tasks and shares your browser's login state," their help center states (source). "Live debugging: read console errors and DOM state directly." Security researcher Noah Kenney reviewed Hanff's work. "Silent installation of cross-application integrations, especially into browsers that users haven't opted into, is likely to go beyond that exemption," Kenney told gHacks.
Attack paths multiply. Anthropic admits Claude faces prompt injection risks: 23.6% success without fixes, 11.2% with them (Let's Data Science). A injected prompt could chain through the extension to the unsandboxed binary. Broad permissions on extensions don't help. Users expect prompts. Not pre-granted bridges.
But defenders argue necessity. X users like @cb_doge amplified the claims, calling it "sneaky spyware" in a post with 2,900 likes. Others countered: it's just how desktop apps link to extensions. Without it, Claude Desktop couldn't control browsers for tasks. Malwarebytes weighed in too. "I don't think it's fair to say that Claude Desktop installs spyware," they wrote in an April 22 analysis. Still, they flagged the expanded attack surface and silent installs as problems.
The manifest's list three IDs: , (Claude in Chrome), and . All tie back to Anthropic. Hanff notes Claude docs claim support only for Chrome. Yet it hits Brave and others too.
Privacy Fallout and User Fixes in a Silent AI World
Europe looms large. ePrivacy Directive Article 5(3) demands consent for device access unless strictly needed. Hanff says no: Claude Desktop works fine without browser bridges. Regulators eye such moves closely. "European regulators tend to interpret 'strictly necessary' narrowly," Kenney added to The Register.
Users scramble for workarounds. Reddit threads share scripts to lock files: after emptying them. One blocks all but Chrome. Full fix? Uninstall Claude Desktop. X buzz peaked April 23, with @BrianRoemmele posting Hanff's analysis to 68,000 views.
Anthropic stays quiet. No patch. No statement. Their Claude in Chrome extension, beta for paid users, pushes agentic features hard. Desktop ties in via "Connectors" settings. But transparency lags. Industry insiders watch: AI agents demand deep access. Consent can't stay optional.
Broader pattern? Other AI tools eye browsers. OpenAI's work, Google's extensions. Bridges like this power automation. Yet silent pre-auths erode trust. Anthropic brands as the safe AI lab. This undercuts that. Hanff plans regulatory complaints if unchanged. Expect audits, maybe patches. For now, Mac users with Claude Desktop should check their folders. And think twice before granting AI the keys to their browsers.