Anthropic Secretly Installs Spyware When You Install Claude Desktop
hubie writes:
Anthropic silently installed a spyware bridge on my machine:
I was working on a personal project, debugging a Native Messaging helper I had written for it. In the process I needed to check what Brave Browser had registered on my laptop. What I found was a file I had never put there. It was not mine. I had not installed it. I had not authorised it. I had not even been told about it.
It was from Anthropic.
The file sits at this path on my MacBook:
~/Library/Application Support/BraveSoftware/Brave-Browser/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
And its contents are this:
{
"name": "com.anthropic.claude_browser_extension",
"description": "Claude Browser Extension Native Host",
"path": "/Applications/Claude.app/Contents/Helpers/chrome-native-host",
"type": "stdio",
"allowed_origins": [
"chrome-extension://dihbgbndebgnbjfmelmegjepbnkhlgni/",
"chrome-extension://fcoeoabgfenejglbffodgkkbkcdhcgfn/",
"chrome-extension://dngcpimnedloihjnnfngkgjoidhnaolf/"
]
}For the non-technical reader, this is a Native Messaging manifest. It is the document a Chromium-based browser consults when a browser extension wants to call an executable on the local machine. Native Messaging hosts run outside the browser sandbox, at the same privilege level as the user. If a browser extension with one of the three IDs listed above reaches my Brave install, Brave is pre-authorised to spawn the binary at /Applications/Claude.app/Contents/Helpers/chrome-native-host on my laptop with my access permissions.
I did not install any Anthropic browser extension. I have never installed a Claude browser extension due to privacy and security concerns. I did install Claude Desktop, the Mac app, a while back. That is the only thing on this machine which could have written the file. Claude Desktop reached into Brave, a browser from a completely separate vendor, and registered a back door for a browser extension I do not have.
One clarification before I continue, because the Anthropic ecosystem has two products whose names blur together. This article is about Claude Desktop, the Electron-based macOS application with bundle identifier com.anthropic.claudefordesktop, distributed as Claude.app. It is not about Claude Code, Anthropic's command line developer tool. Claude Code has its own, separately documented, Native Messaging bridge with the filename com.anthropic.claude_code_browser_extension.json. The bridge this article is about is installed under a different filename, com.anthropic.claude_browser_extension.json, by a different product, under a different internal subsystem, and is entirely undocumented by Anthropic. The two bridges coexist. This article concerns the undocumented one.
At rest, the bridge does nothing. The binary does not run until a browser extension with one of the three listed IDs calls it. So on my machine, right now, nothing is happening. That is the one argument Anthropic will try to hide behind. Let me cut through it in advance.
When the paired extension is present and the bridge is activated, it exposes browser automation capabilities to whatever agentic process Claude is running. Anthropic describe those capabilities in their own public documentation. [...]
That is explicit authenticated session access, DOM state read, form filling, and screen capture, described by Anthropic on their own documentation site. If I have my bank open in a tab, the bridge's documented capabilities include reading it as me. If I have Tax, or my Health portal, or a client's Slack, or an admin console to production infrastructure, the documented capabilities include acting as me there.
The bridge runs outside the browser's sandbox at user privilege level, and Native Messaging hosts do not surface in any standard macOS process or permission UI, they are invoked by the browser and communicate over stdio.
This is the capability that Anthropic pre-stages on my laptop the moment I install their desktop application. Without telling me. Without asking me. Without offering me the chance to say no.
TFA says folders were also created for other browsers that weren't installed, so if any of those browsers were later installed, this would be active from the start. Apart from whether Anthropic needs this to function, looking at it from a higher level, the fact that you can do this sounds to be like a horrible security loophole that can be easily exploited.
Read more of this story at SoylentNews.