[BUG] SECURITY: claude-in-chrome built-in MCP controls browsers cross-device without consent or device pairing + full session inheritance

Resolved 💬 2 comments Opened Mar 13, 2026 by alexharlxa Closed Apr 11, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Summary

The built-in claude-in-chrome MCP server in Claude Code controls Chrome browser on other devices via the Chrome extension, without explicit authorization or device pairing. Only requirement is same Claude account.

Reproduction

  1. Machine A (MacBook): Claude Code running with claude-in-chrome built-in MCP connected. Chrome is NOT signed in on this machine. No Chrome sync enabled.
  2. Machine B (Windows laptop, same home network): Chrome with Claude-in-Chrome extension installed (from Sep 2025 research preview). No Claude Code running with --chrome.
  3. CC on Machine A calls tabs_create_mcp and navigate — the tab opens on Machine B's Chrome, not Machine A.
  4. CC on Machine A can take screenshots, fill forms, read page content, and interact with any page on Machine B's Chrome.
  5. This includes pages with active authenticated sessions (M365, AWS SSO, Salesforce, GCP, etc.).

Evidence

  • During a working Chrome session on MacBook a new Chrome Window opened on Windows
  • As a test CC on MacBook created a tab and navigated to bbc.co.uk/weather
  • Tab appeared on Windows Chrome in the MCP tab group (screenshots available)
  • No Chrome sync between devices (verified: not signed into Chrome on MacBook, sync explicitly off on Windows)
  • No --chrome flag on any Windows CC session
  • Opened new tab on Windows Chrome.
  • Navigated to portal.azure.com.
  • Inherited full alex Azure admin session (attached screenshot shows logged-in tab not Azure resources, other screenshots available).
  • Listed all resources, Azure DevOps orgs, etc.
  • Refused further private-endpoint probing (self-limited).

Security Impact

  • CRITICAL: A CC session on any device can access authenticated browser sessions on another device via the Chrome extension
  • No consent prompt, no device pairing, no notification on the target device
  • Authenticated corporate sessions (Azure portal, M365, AWS SSO, etc.) are fully accessible with existing auth cookies
  • The CC operator may not even realize which physical browser they're controlling
  • Tested: CC on MacBook navigated to portal.azure.com on Windows Chrome and received full authenticated admin access to corporate Azure tenant without any login prompt
  • An autonomous agent with /loop could silently access corporate systems on a schedule

Expected Behavior

  • claude-in-chrome should only control Chrome on the local machine where CC is running
  • Cross-device browser control should require explicit device pairing and consent
  • At minimum, a notification should appear on the target Chrome when a remote CC connects

Related issues (this is a direct escalation)

  • #29814 (SECURITY cross-machine data leak)
  • #25551 (connects to wrong browser on LAN)
  • #15125 (no way to target specific instance/machine)

Environment

  • Claude Code v2.1.72
  • macOS Sequoia 15.0.1 (MacBook M1 Pro)
  • Windows 11 (laptop) high-priv profile with full M365/AWS/etc sessions
  • Same home network, same Claude account
  • Chrome extension installed Sep 2025 (research preview)

What Should Happen?

  • claude-in-chrome MCP should bind to the Chrome instance on the same machine as the CC process (e.g., via native messaging or localhost). Cross-device routing should not exist as a

default behavior.

  • If cross-device is an intentional feature, it must require explicit opt-in with device pairing consent on both ends.

Error Messages/Logs

Steps to Reproduce

  1. Two devices on same network, same Claude account. Machine A: CC with claude-in-chrome built-in MCP. Machine B: Chrome with Claude extension installed.
  2. From CC on Machine A, call any claude-in-chrome tool (e.g. tabs_create_mcp, navigate). It executes on Machine B's Chrome.

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.72

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

I have seen this once bofore - MAcBook CCs opening a window on Windows but dismissed it as I had active Windows CCs in Chrome

<img width="1447" height="864" alt="Image" src="https://github.com/user-attachments/assets/e5adb3af-e7c6-4efe-bea7-49c4908613e0" />

<img width="1915" height="1077" alt="Image" src="https://github.com/user-attachments/assets/8fc09452-85a8-4cdb-96f9-488ac5813a40" />

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗