Header Banner
Gadget Hacks Logo
Gadget Hacks
Android
gadgethacks.mark.png
Gadget Hacks Shop Apple Guides Android Guides iPhone Guides Mac Guides Pixel Guides Samsung Guides Tweaks & Hacks Privacy & Security Productivity Hacks Movies & TV Smartphone Gaming Music & Audio Travel Tips Videography Tips Chat Apps
Home
Android

Google Bans Chrome Extensions That Jailbreak Chatbots Amid Deeper Vulnerability Concerns

Google Bans Chrome Extensions That Jailbreak Chatbots Amid Deeper Vulnerability Concerns

Google has removed 18 AI Chrome extensions tied to chatbot-jailbreak and overbroad-permission risks after Palo Alto Networks Unit 42 reported them to the company. The removals, which happened with no coordinated public announcement, are one part of a two-part story. The other part is a separate vulnerability, CVE-2026-0628, disclosed by Unit 42 around the same period, showing that Chrome's extension permission framework has a structural gap the company hasn't fully resolved. These are related but distinct findings, and understanding both matters for anyone who installs browser extensions.

The enforcement happened in late April 2026, per Unit 42's disclosure. Google either removed the extensions from the Chrome Web Store or sent formal policy-violation warnings to their developers. No press release tied these actions together as a coordinated initiative. Taken together, the Unit 42 extension report and the CVE-2026-0628 disclosure suggest a browser permission model that was designed for one kind of browser and is now running inside a different one.

What Google actually did: 18 extensions removed, no announcement

Unit 42 identified 18 AI browser extensions marketed as productivity tools and described them as "not as they seem," according to their research. After reporting all 18 to Google, researchers documented that Google removed them or sent policy-violation warnings to their developers. Because Google did not publicly bundle these actions into one announcement, the enforcement record has to be pieced together from Unit 42's disclosure alone.

The category of harm Unit 42 documented is not limited to chatbot bypassing. The pattern they flagged is overbroad permissions, unexpected data access, and policy violations across extensions that presented themselves as productivity tools. An AI writing assistant requesting host permissions for every domain a user visits is asking for far more than writing assistance requires. That gap between stated purpose and actual permission scope is the signal worth reading.

These two findings are separate. Unit 42's extension report concerns misleading presentation and excessive permissions. CVE-2026-0628, disclosed separately, demonstrates why those permissions carry more weight in a browser that now runs AI natively. The removed extensions were not documented as exploiting CVE-2026-0628; the vulnerability disclosure explains the broader context in which overbroad permissions become a serious risk.

Chrome Safety Check on desktop can notify users when installed extensions may pose a security risk and routes them to the extensions management page, per a Google Chrome safety update from nearly two years ago. That mechanism catches what researchers have already found. For users, the most revealing signal is often the permission list rather than the extension's name or description.

The Chrome extension chatbot security flaw behind the bigger concern

A separate finding, CVE-2026-0628, helps explain why extension permissions matter more when Chrome exposes native AI components.

A Chrome extension holding two permissions that individually appear routine, declarativeNetRequest and host access to gemini.google.com, could intercept Chrome's native Gemini Live panel. Once inside that panel, the extension could access the user's camera, microphone, and local files, and take screenshots of any HTTPS page open at the time. As Extenshi summarized from Unit 42's research: "Not access to a website. Access through the browser itself."

Unit 42 put the distinction plainly, as quoted via Extenshi: "An extension influencing a website is expected. However, an extension influencing a component that is baked into the browser is a serious security risk." That distinction is what makes CVE-2026-0628 categorically different from a standard extension abuse case. Extensions have always been able to read and modify web pages; that is the designed function. Reaching a privileged AI component running beneath any webpage is something else. Unit 42's research, as summarized by Extenshi, characterized CVE-2026-0628 as an early example of a new vulnerability class: extensions gaining unintended access to privileged browser components rather than ordinary web content.

Manifest V3, Google's overhaul of the extension API framework, was designed to constrain abuse surface by replacing flexible scripting APIs with declarative ones. Under MV3, the declarativeNetRequest API was expanded to support up to 330,000 static rules and 30,000 dynamic ones, per the Google Chromium Blog. The sources suggest a mismatch between Manifest V3's threat model and browser-native AI components with elevated privileges: the constraints function as designed until the resource being intercepted carries permissions that no ordinary webpage carries.

On the timeline: Unit 42 reported the issue to Google on October 23, 2025. Google patched it in early January 2026. Public disclosure followed on March 2, per Extenshi's summary. No active exploitation of this specific vulnerability has been publicly reported. Users on current Chrome builds are not exposed to CVE-2026-0628.

The broader class of risk it represents is a different question.

Google's response: what's in place and where the gaps remain

Google's December 2025 security post describes a layered architecture for agentic Chrome built around one identified primary threat: indirect prompt injection, where malicious instructions embedded in web content, ads, or user-generated material direct an agent to take unwanted actions such as initiating financial transactions or exfiltrating sensitive data, per the Google Security Blog.

Worth noting: Google's agentic-browser defenses address prompt injection and user-action control. The extension permission issue concerns a different boundary, permission scope versus privileged browser components. The two sit side by side in the security picture, but they are not the same problem.

The User Alignment Critic is the centerpiece of Google's prompt-injection defense. According to Google's security team, it's a separate Gemini-based model that runs after planning is complete, reviews each proposed agent action, and vetoes ones that don't align with the user's stated goal. It is architected to see only metadata about the proposed action, not raw web content, so it cannot be manipulated by the same injection attacks it is built to catch, per the Google Security Blog.

The user controls Google describes are specific. Before navigating to sensitive sites like banking or medical portals, the agent requires explicit confirmation. Before signing into any site via Password Manager, and the planning model has no direct access to stored passwords, it confirms again. Before completing consequential actions like purchases or sending messages, the agent pauses for user approval. Users can stop any task at any point, according to the Google Security Blog.

Google has also updated its Vulnerability Rewards Program to pay up to $20,000 for demonstrated breaches of agentic security boundaries, and cites Chrome's auto-update infrastructure as the primary mechanism for fast remediation. The CVE-2026-0628 timeline confirms the pipeline works. It also illustrates a limitation fast patching alone cannot close. Users who had deferred update notifications were exposed for weeks between the January patch and the March public disclosure, with no way of knowing it, per Extenshi's account. For users who delay updates, fast patching still leaves an exposure window.

What to watch going forward

The clearest lesson from the 18 flagged extensions is that the permission list is what to read, not the name, the description, or the rating. An extension requesting host access to gemini.google.com, claude.ai, or any domain where browser-native AI features operate is asking for access at a level that warrants a direct question: what legitimate function requires that? Chrome Safety Check will surface known risks, per the September 2024 safety update. Extensions that researchers haven't flagged yet won't appear in that database.

The forward-looking question is structural. Chrome's extension permission framework was built to govern what extensions could do to websites. Google has since built AI directly into the browser itself, running at a depth that websites don't reach. Unit 42's research identified CVE-2026-0628 as an early example of a new vulnerability class. Whether Google updates the extension permission model to reflect what browser-native AI actually exposes, rather than what web pages expose, is the question that this enforcement action doesn't answer.

Apple's iOS 26 and iPadOS 26 updates are packed with new features, and you can try them before almost everyone else. First, check our list of supported iPhone and iPad models, then follow our step-by-step guide to install the iOS/iPadOS 26 beta — no paid developer account required.

Sponsored

Related Articles

Comments

No Comments Exist

Be the first, drop a comment!