Chrome Gemini Live Hijacking: Malicious Extension Vulnerability

The integration of Large Language Models (LLMs) into daily browsing workflows has introduced a novel attack surface that security teams must now account for. Specifically, a vulnerability discovered in Google Chrome’s Gemini Live AI assistant highlights how traditional browser extension risks are evolving to encompass AI-driven data theft. According to SecurityWeek, malicious extensions could hijack the Gemini Live feature to monitor user interactions and exfiltrate private files.

Technical Analysis of Gemini Live Session Hijacking

Modern browsers rely on extensions to enhance functionality, but these components often possess broad permissions to read and modify site data. When an AI assistant like Gemini Live is embedded into the browser environment, it operates within a context that may be accessible to these extensions via content scripts. This specific flaw allowed a malicious extension to intercept the communication flow between the user and the AI, effectively bridging the gap between the assistant’s private interface and the attacker’s C2 infrastructure.

The primary concern regarding Google Chrome Gemini Live security risks involves the exploitation of the extension’s capability to inject scripts into the browser’s user interface. If an extension can read the content of the Gemini sidebar, it can capture the history of a conversation, which often contains sensitive personal or corporate data. Furthermore, the ability to hijack the assistant implies that an attacker could potentially feed malicious prompts to the AI—a technique known as indirect prompt injection—leading the AI to perform unauthorized actions or disclose sensitive system information without the user’s knowledge.

Mitigating Malicious Chrome Extension Threats

Security professionals must recognize that browser extensions are a significant vector for Phishing and data exfiltration. Unlike a traditional CVE that targets a buffer overflow or a specific RCE bug, this vulnerability leverages the intended functionality of extensions to abuse the emerging AI layer. To protect the SOC from such threats, organizations need to update their endpoint security policies to include AI-specific safeguards.

How to prevent AI assistant hijacking

To protect against these types of vulnerabilities, security teams should implement several layers of defense. First, restrictive extension policies are vital. Organizations should transition toward a Zero Trust model for browser management, where only pre-approved extensions are allowed on corporate endpoints. This prevents the installation of unverified tools that might contain hidden malicious logic.

Furthermore, monitoring for unusual data flows from the browser to unknown external domains can help identify a compromised extension. EDR solutions should be configured to flag suspicious extension activity, such as frequent access to the browser’s local storage or unauthorized DOM manipulation within the AI assistant’s interface. Integrating browser logs with a SIEM can provide the visibility needed to detect these stealthy exfiltration attempts.

The Impact of AI Assistant Exploitation

The risk profile for AI hijacking is distinct because of the high-value data processed by LLMs. Users often treat AI assistants as confidants, sharing proprietary code, draft financial reports, or internal strategy documents. If a malicious actor successfully intercepts these sessions, the impact mirrors a major data breach without the need for Lateral Movement within the internal network.

From a MITRE ATT&CK perspective, this technique aligns with “Browser Extensions” (T1176). The attacker gains a persistent foothold within the browser, allowing for continuous data collection as long as the extension remains active. Even if the vulnerability did not involve a traditional XSS payload, the outcome remains the same: unauthorized access to sensitive user data. Security practitioners must prioritize the audit of extensions that interact with productivity-focused AI tools to ensure organizational data remains protected.