On November 23, 2025, a researcher at Palo Alto Networks Unit 42 filed a bug report to Google. What he found inside Chrome’s newest AI feature was, by the time a patch arrived, classified as a CVSS 8.8 severity flaw.
The vulnerability, tracked as CVE-2026-0628, lived inside Chrome’s Gemini Live panel — a side panel added to the browser in September 2025 that uses a chrome://glic URL and a WebView component to load the gemini.google.com web app. Researcher Gal Weizman named the attack chain “Glic Jack,” short for Gemini Live in Chrome hijack.
The mechanics are specific. Chrome’s declarativeNetRequest API, the same interface that ad-blocking extensions use to intercept and modify HTTPS requests, was never properly blocked from applying its rules to the WebView component hosting Gemini. That gap meant an extension carrying only a basic permission set could inject arbitrary JavaScript directly into the privileged panel. According to the NIST National Vulnerability Database, an attacker who convinced a user to install a malicious extension could inject scripts or HTML into a privileged page via a crafted Chrome extension.
What an Attacker Could Actually Do
Once inside the panel, the access was substantial. The announcement details that exploitation could enable an attacker to access the victim’s camera and microphone without permission, take screenshots of any website, and read local files on the system. The entire chain starts with a single social-engineering step: getting a user to install the crafted extension.
Weizman described the root cause plainly. “Chromium’s interpretation for what went wrong here is that WebView components — with which chrome://glic embeds Gemini’s web app — were forgotten from being rejected when considering declarativeNetRequest rule appliance,” he wrote on X.
Google patched the flaw in early January 2026 in Chrome version 143.0.7499.192/.193 for Windows and Mac, and 143.0.7499.192 for Linux.
More Read
The Broader Problem AI Panels Create
The flaw is specific, but what it exposes is structural. Embedding an AI agent inside a browser requires granting that agent privileged access to the browsing environment — file systems, media hardware, page content — so it can execute multi-step tasks. That same access becomes the liability.
A malicious web page could embed hidden prompts instructing the AI assistant to perform actions the browser would otherwise block, leading to data exfiltration or code execution. The page could even manipulate the agent to store those instructions in memory, causing the behavior to persist across sessions.
“By placing this new component within the high-privilege context of the browser, developers could inadvertently create new logical flaws and implementation weaknesses,” Weizman said. “This could include vulnerabilities related to cross-site scripting, privilege escalation, and side-channel attacks that can be exploited by less-privileged websites or browser extensions.”
The declarativeNetRequest API, in normal use, is a tool for filtering ads. In this case, it was the entry point for taking control of a panel with access to a camera, a microphone, a file system, and every open tab on the screen.
Photo by Pixabay
This article is a curated summary based on third-party sources. Source: Read the original article
