"Tracked as CVE-2026-0628 and deemed high severity, the vulnerability is described as an "insufficient policy enforcement in WebView tag in Google Chrome" issue that, prior to version 143.0.7499.192 of the browser, "allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension.""
"The team found that an extension with access to a basic permission set, via the declarativeNetRequests API, could grant permissions that an attacker could exploit to inject JavaScript code into the new Gemini panel browser component."
"If, for example, an attacker can convince a target to download and install an innocent-looking browser extension, a malicious extension could exploit the policy problem to hijack Gemini. The AI assistant may then take action without permission, including granting a cybercriminal access to webcams and microphones, taking screenshots, and accessing local files and directories."
A high-severity vulnerability (CVE-2026-0628) has been discovered in Google Chrome's Gemini AI feature affecting versions prior to 143.0.7499.192. The flaw involves insufficient policy enforcement in the WebView tag, allowing attackers who convince users to install malicious extensions to inject scripts or HTML into privileged pages. Extensions with basic permissions can exploit the declarativeNetRequests API to inject JavaScript into the Gemini panel. Attackers can hijack the AI assistant to access webcams, microphones, take screenshots, access local files, and conduct phishing attacks without user permission. Users should update Chrome immediately to patch this vulnerability.
#chrome-security-vulnerability #gemini-ai-feature #malicious-extensions #data-privacy #browser-security
Read at ZDNET
Unable to calculate read time
Collection
[
|
...
]