this post was submitted on 20 Apr 2026
135 points (97.9% liked)
Security
2109 readers
1 users here now
A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.
Rules :
- All instance-wide rules apply.
- Keep it totally legal.
- Remember the human, be civil.
- Be helpful, don't be rude.
Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I don't think Firefox is immune to this, just that because its architecture is different, Anthropic didn't bother coding a bridge for it (given its market share).
The main issue here is that Anthropic violated one of the most important (implicit) tenets of applications in a computer: don't touch other people's shit. Claude.app modified Brave (and others) configuration, adding an extension without user consent. An extension that, by the way, gives full control of the browser to Claude, including reading the DOM for browser tabs unrelated to Claude (for example, the one where you just entered your credit card details).
I can't believe how many decades we got out of just letting all apps have full access to
$HOME. In$current_yearit's our own fault if we don't properly isolate our applications I guess. Android does a pretty good job of it IMO although cross-app intents probably need more protection.Technically, at least as far as the author can tell, it only affects Chromium-based browsers. So Firefox would not be affected (yet).
And only on Mac so far, the app being made with ElectronOS. Not sure what Windows looks like.