Rogue Chrome Extension Could Hijack Gemini Live Panel, Expose Cameras and Files, Researchers Warn

CyberDefender 9 mins0

In early 2026, researchers from Palo Alto Networks Unit 42 disclosed a high-severity security vulnerability in the implementation of the Gemini Live in Chrome panel — an AI-powered assistant integrated into the Google Chrome browser. This flaw, tracked as CVE-2026-0628, had the potential to allow malicious browser extensions to hijack the Gemini Live panel and escalate privileges to perform actions far beyond their intended scope.

1. Background: AI Integration in Modern Browsers

Modern web browsers are evolving beyond simple page rendering engines. With the rise of “agentic” browsers — browsers that embed advanced artificial intelligence assistants — users get contextual summarization, automated workflow help, and multimodal interactions directly within the browser UI. Google’s Gemini Live in Chrome feature is one such implementation: a side panel that injects an AI assistant capable of interacting with active tabs, interpreting page content, and executing multi-step tasks.

By design, Gemini Live runs as a privileged component of the browser. Unlike normal web pages, it can interact with sensitive browser APIs — including camera/microphone access, file access, screenshots, and more — to fulfill complex AI tasks. While convenient for productivity, this increased privilege also broadens the browser’s attack surface.

2. Vulnerability Overview: CVE-2026-0628

At the core of CVE-2026-0628 is a flaw in how Chrome integrates and secures the Gemini Live panel’s WebView component — a browser-internal view used to display the AI interface sourced from gemini.google.com. The vulnerability stems from inadequate isolation controls between untrusted extension injection capabilities and the privileged context in which Gemini Live executes.

2.1. Exploitation Vector

Chrome extensions operate under a strict permission model. Typical extensions using the declarativeNetRequests API can intercept and modify network requests matching defined rules. These modifications are normally limited to manipulating content within standard browser tabs. However:

  • The Gemini Live panel loads its AI interface via an internal WebView component.
  • Because of a flaw in policy enforcement, extensions with basic network modification permissions could also intercept WebView traffic destined for the Gemini panel.
  • This interception could allow the extension to inject arbitrary JavaScript/HTML into the panel’s origin while the AI interface was loading.

In effect, a relatively unprivileged extension could slip custom code into a highly privileged part of the browser — something the Chrome extension model is explicitly designed to prevent.

3. Privilege Escalation: From Harmless Extension to Powerful Agent

Once code injection into the Gemini Live panel was possible, the injected payload inherited the privileges of the AI interface environment. This is significant because Gemini Live isn’t treated as a standard web page; it is trusted with elevated capabilities required for delivering AI assistance. Potential impacts included:

  • Unauthorized access to camera and microphone
    Malicious code could activate media devices without prompting the user for consent.
  • Screenshot capture of any website
    The injected code could cause the panel to take screenshots of the user’s active tabs, potentially exposing sensitive information.
  • Local filesystem access
    The panel’s privileged APIs could be tricked into exposing or manipulating local files and directories.
  • Phishing and content spoofing
    Because the panel appears as a trusted, built-in part of the Chrome UI, manipulating its content could trick users into believing malicious prompts or dialogs are genuine.

Collectively, these actions represent a complete breach of the browser’s privilege model, circumventing the security boundary between untrusted extensions and high-privileged browser components.

4. Technical Cause: Policy Enforcement Deficiency

The vulnerability is fundamentally rooted in insufficient policy enforcement of the WebView component used by Gemini Live. Specifically:

  • The declarativeNetRequests API was not restricted from targeting WebView traffic destined for the Gemini panel.
  • Chrome’s internal WebView policy mistakenly treated these requests as equivalent to normal webpage requests.
  • As a result, extensions could influence content loaded into the panel in ways that should have been blocked due to context and privilege differences.

This discrepancy between expected API behavior and actual enforcement created an unintended escalation path from extension to privileged process.

5. Responsible Disclosure and Mitigation

Researchers from Unit 42 responsibly disclosed the vulnerability to Google on October 23, 2025. Google acknowledged the issue and released a patch in early January 2026:

  • Chrome versions 143.0.7499.192/.193 (Windows/macOS) and 143.0.7499.192 (Linux) include the fix that properly restricts extension influence over the Gemini Live WebView.

5.1. Recommendations for Users and Administrators

  • Update Chrome immediately to versions including the security patch.
  • Audit and restrict extensions — especially those requiring network request modification capabilities.
  • Implement allow-listing for trusted extensions in enterprise environments.

Unit 42 also recommends that, where feasible, organizations treat agentic browser features as high-risk infrastructure, and enforce strict extension governance to limit exposure.

6. Broader Security Implications

CVE-2026-0628 highlights a broader trend in cybersecurity: as browsers integrate more advanced AI capabilities and deeper system access, the boundaries that once protected core components from untrusted code are thinning. Features like Gemini Live necessitate new security models that account for:

  • AI agent privileges beyond standard web content
  • Trust boundaries between browser internals and extension code
  • Expanded attack surfaces due to real-time content processing

Security researchers emphasize that innovation can’t come at the expense of robust security, and that AI-driven browser features must be engineered with hardened guardrails from inception.

7. Conclusion

The CVE-2026-0628 vulnerability in Google Chrome’s Gemini Live panel serves as a technical case study in how integration of powerful AI features can introduce critical security risks when internal enforcement mechanisms fall short. A seemingly benign extension with basic network-modifying permissions was able to leverage a design flaw to influence a privileged browser component — something that should be impossible under a properly isolated extension model. The incident underscores the importance of defense-in-depth and proactive vulnerability research in emerging AI-centric platforms.

CyberDefender