Claude Desktop's Unauthorized Browser Access Raises Privacy Concerns

Severity: High (Score: 67.2)

Sources: Theregister

Summary

Anthropic's Claude Desktop for macOS has been found to modify the permissions of other applications without user consent, including pre-authorizing browser extensions for browsers that are not yet installed. Privacy consultant Alexander Hanff claims this behavior constitutes spyware and violates European privacy laws, specifically Article 5(3) of the ePrivacy Directive. The software installs a Native Messaging manifest file that allows it to run executables in Chromium-based browsers, effectively granting it access to user data without explicit permission. Hanff discovered these issues while debugging another application, revealing that Claude Desktop's actions could lead to significant privacy violations. The unauthorized access allows Claude to read web pages, fill out forms, and capture screens, operating outside the browser's security sandbox. This incident raises serious concerns about user consent and the ethical implications of AI software behavior. The current status indicates ongoing scrutiny and potential legal ramifications for Anthropic. Key Points: • Claude Desktop modifies app permissions without user consent, violating privacy laws. • The software pre-authorizes browser extensions for browsers not yet installed. • Alexander Hanff labels Claude Desktop's behavior as spyware and a dark pattern.

Key Entities

• Malware (attack_type)
• Prompt Injection (attack_type)
• CWE-94 - Code Injection (cwe)
• Chrome (tool)
• Chromium (platform)
• Electron (platform)
• MacOS (platform)