Skip to content

Get in touch

Send us a note and we’ll follow up. Or email us directly at info@rebora.io.

Blog

MaXSS & Spyder: How two Chrome extensions allow websites to compromise over 10 million browsers

How SiderAI and MaxAI agentic side panel extensions are vulnerable to severe cross-site vulnerabilities, allowing attackers to compromise browsers easily and entirely

Gal Weizman, Gal Bashan 6 min read
security browser extensions AI agentic
Share

Executive Summary

  • Rebora Security Research has discovered two critical vulnerabilities in SiderAI & MaxAI Chrome extensions.
  • The extensions are supported by every Chrome-like browser and are jointly installed across more than 10,000,000 devices.
  • SiderAI features in the “Chrome Web Store Top 25 Popular Extensions” chart.
  • Abusing these vulnerabilities allows attackers to compromise all browser sessions across any website, leading to the leakage of sensitive information, the invocation of arbitrary commands, and even account takeover. Furthermore, there was a potential risk of stealing files from the underlying operating system.
  • Attempts to contact the vendors regarding these vulnerabilities failed. Given the high severity, we decided to make this information public so users are aware of the risk.
  • Additionally, as the official owner of the Chrome Web Store, Google’s security teams were informed of this.

To do so, visit the following links. If they include a “Remove” button, that means you have them installed and that you should remove them:

To dive deeper into the technical aspects of this research, refer to MaXSS / Spyder technical blogs.

Intro

Rebora Security Research found two significant vulnerabilities impacting millions of browser users. These vulnerabilities were found in two different Chrome extension agentic side panels - a new breed of AI-driven products.

In this blog post, we’ll cover agentic side panels and their popularity. Then, we’ll introduce our security research on two of them and present two critical flaws we found. These flaws can allow attackers to completely compromise browsers.

The vulnerabilities, found in SiderAI & MaxAI and which were dubbed “Spyder” & “MaXSS” (accordingly), were both disclosed to the vendors as part of a responsible process of securing millions of users. Neither vendor ever replied, making these products still vulnerable to their current public versions.

Eventually, we’ll discuss our conclusions and how these findings shaped our perception of endpoint posture security.

What are agentic side panels?

It’s hard to keep track of every new breed of AI-driven product that comes to life. One in particular that gained significant focus in the past few years is Chrome extension agentic side panels.

Agentic side panels aspire to enhance your browsing experience by leveraging AI.

The idea manifests as a browser extension that injects code into any website users visit. Then, across those sites, users can enable the extension’s side panel, which lets them navigate the site using AI. Meaning, it can help you understand its contents by summarizing it, reasoning about images embedded on the site, asking questions about it, or prompting you to perform actions using AI.

The value these extensions provide in the browser goes beyond just the side panel. For example, by visiting their web app, the user can access more advanced features that rely less on website-specific context.

With over 7,000,000 installations, Claude in Chrome is an example of an agentic side panel most people would be familiar with. However, as it turns out, there are alternatives with even more installations.

In this research, we focused on two specifically:

SiderAI

10,000,000 installations (Chrome & Edge stores)

MaxAI

1,000,000 installations (Chrome & Edge stores)

How are agentic side panels implemented?

Agentic side panels are standard Chrome extensions that are composed of a few dominant components, mainly a content-script and the background process.

Each website the user visits is injected with a content-script by the extension. That’s the component that has access to what the user sees and can tell the extension what to summarize, what to modify, and what content can be acted upon.

The background process is like the extension’s backend. By sending/receiving messages to/from the different content-scripts, it’s basically the component that “calls the shots”.

While content-scripts have access to view and modify the webpage the user sees, they run in an isolated context, so the JavaScript served as part of the webpage can’t interfere with the extension’s content-scripts. This is a security boundary. Without it, webpages can tap into content-scripts context or get them to do stuff they’re not supposed to.

That being said, webpage JavaScript and content-scripts should still be able to communicate - which they can - but they must do so securely.

Another way to think about it is to look at the content-script as the entity that mediates between the background and the webpage.

Having a pretty sensitive role, content-scripts are where significant mistakes can happen.

How was the mediator abused?

One way in which content-scripts do their job is by accepting input coming from the webpage and acting upon it. However, if the input is not sanitized/checked properly, the webpage can convince the content-script to do things it wasn’t supposed to.

This notion manifested in both extensions.

MaXSS

With MaxAI, the content-script was designed to be capable of asking the background to run arbitrary commands such as opening new tabs, taking screenshots of them, and more. These requests were being made using standard browser extensions messaging technology.

From a product perspective, this served MaxAI’s purpose of activating agentic capabilities to harness AI and enhance the user’s browsing experience.

The problem was that MaxAI’s content-script made the mistake of accepting such sensitive messages even when they were coming from the webpage and forwarding them to the background.

This allowed arbitrary websites to force the content-script to ask the background to do just about anything the extension can.

Furthermore, we were able to exploit some of the exposed powers and execute code on arbitrary sites.

As we demonstrated, an attacker could have abused this communication channel to take over any website through the user’s browser. In our demo, we showed how we were able to:

  • Open hidden tabs to the victim’s Google Calendar and Gmail, and capture a screenshot of them
  • Open hidden tabs to the victim’s Claude and ChatGPT account, invoke a prompt to dump the AI’s memory of the victim, and then capture a screenshot of the responses

Spyder

With SiderAI, the content-script was designed to be capable of embedding arbitrary websites when the user requests it. This is to provide summaries of the embedded websites, but also to manipulate them according to the user’s demands by invoking clicking/typing gestures:

However, we were able to synthesize an artificial event that activated this functionality from the perspective of a benign webpage, allowing us to force clicking/typing gestures on any arbitrary website.

As we demonstrated, an attacker could have abused this communication channel to take over any website through the user’s browser. In our demo, we showed how we were able to:

  • Open a hidden embedment of the victim’s Gemini account
  • Type in a prompt to dump the AI’s memory of the victim
  • Once done, click the “share” button to make the conversation public
  • Leak the shareable link outside the embedment into the hands of the attacker

What risks are organizations exposed to?

Since the extension requires a wide set of permissions, these were sufficient to perform highly impactful attacks such as taking screenshots of arbitrary websites, running code under their context, and, in some cases, potentially reading arbitrary files from the underlying operating system.

This could have manifested in all sorts of terrifying attack scenarios, such as:

  • Reading emails, correspondences, sheets, documents, drive files, etc
  • Sending emails, uploading files, changing states, updating documents/sheets, etc
  • Steal authentication tokens of every web service to perform an account takeover
  • Steal/invoke prompts against AI systems such as Claude, Gemini, ChatGPT, etc

All of which are sufficient to fully compromise individuals’ online identities and assets, let alone to infiltrate and compromise organizations’ precious assets and IP entirely.

Refer to the technical blogs from MaXSS / Spyder to further study the impact.

How wide is the blast radius?

These flaws are a lethal combo of:

  • Widely adopted - over 10 million installed devices.
  • Easily exploitable - no user interaction required, and completely invisible attacks, simply visit a malicious website
  • Highly impactful - aside from escaping the browser to run code on the underlying operating system, the achieved impact (from the starting point of a simple website) is as bad as it gets.

Takeaways

The story is about more than just two vulnerable Chrome extensions - it’s about software evolution in general and its impact on the endpoint. It’s natural for employees to want to explore AI-driven software, which could amplify the impact they can deliver. This should be encouraged, not suppressed.

However, AI affected software in two prominent ways:

  1. Most software is now being written using AI
  2. There is a new breed of products that are driven by AI

This manifests everywhere software exists - websites, extensions, browsers, applications, and anywhere in its lifecycle, from supply chain to runtime.

All of which converge at the endpoint.

Since the AI component makes defending software far more complex, this shift turns the endpoint into the most exposed component of the AI era.

Share

Continue reading