[BUG] SECURITY: claude-in-chrome built-in MCP controls browsers cross-device without consent or device pairing + full session inheritance
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Summary
The built-in claude-in-chrome MCP server in Claude Code controls Chrome browser on other devices via the Chrome extension, without explicit authorization or device pairing. Only requirement is same Claude account.
Reproduction
- Machine A (MacBook): Claude Code running with
claude-in-chromebuilt-in MCP connected. Chrome is NOT signed in on this machine. No Chrome sync enabled. - Machine B (Windows laptop, same home network): Chrome with Claude-in-Chrome extension installed (from Sep 2025 research preview). No Claude Code running with
--chrome. - CC on Machine A calls
tabs_create_mcpandnavigate— the tab opens on Machine B's Chrome, not Machine A. - CC on Machine A can take screenshots, fill forms, read page content, and interact with any page on Machine B's Chrome.
- This includes pages with active authenticated sessions (M365, AWS SSO, Salesforce, GCP, etc.).
Evidence
- During a working Chrome session on MacBook a new Chrome Window opened on Windows
- As a test CC on MacBook created a tab and navigated to
bbc.co.uk/weather - Tab appeared on Windows Chrome in the MCP tab group (screenshots available)
- No Chrome sync between devices (verified: not signed into Chrome on MacBook, sync explicitly off on Windows)
- No
--chromeflag on any Windows CC session - Opened new tab on Windows Chrome.
- Navigated to
portal.azure.com. - Inherited full
alexAzure admin session (attached screenshot shows logged-in tab not Azure resources, other screenshots available). - Listed all resources, Azure DevOps orgs, etc.
- Refused further private-endpoint probing (self-limited).
Security Impact
- CRITICAL: A CC session on any device can access authenticated browser sessions on another device via the Chrome extension
- No consent prompt, no device pairing, no notification on the target device
- Authenticated corporate sessions (Azure portal, M365, AWS SSO, etc.) are fully accessible with existing auth cookies
- The CC operator may not even realize which physical browser they're controlling
- Tested: CC on MacBook navigated to portal.azure.com on Windows Chrome and received full authenticated admin access to corporate Azure tenant without any login prompt
- An autonomous agent with /loop could silently access corporate systems on a schedule
Expected Behavior
claude-in-chromeshould only control Chrome on the local machine where CC is running- Cross-device browser control should require explicit device pairing and consent
- At minimum, a notification should appear on the target Chrome when a remote CC connects
Related issues (this is a direct escalation)
- #29814 (SECURITY cross-machine data leak)
- #25551 (connects to wrong browser on LAN)
- #15125 (no way to target specific instance/machine)
Environment
- Claude Code v2.1.72
- macOS Sequoia 15.0.1 (MacBook M1 Pro)
- Windows 11 (laptop) high-priv profile with full M365/AWS/etc sessions
- Same home network, same Claude account
- Chrome extension installed Sep 2025 (research preview)
What Should Happen?
- claude-in-chrome MCP should bind to the Chrome instance on the same machine as the CC process (e.g., via native messaging or localhost). Cross-device routing should not exist as a
default behavior.
- If cross-device is an intentional feature, it must require explicit opt-in with device pairing consent on both ends.
Error Messages/Logs
Steps to Reproduce
- Two devices on same network, same Claude account. Machine A: CC with claude-in-chrome built-in MCP. Machine B: Chrome with Claude extension installed.
- From CC on Machine A, call any claude-in-chrome tool (e.g. tabs_create_mcp, navigate). It executes on Machine B's Chrome.
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.72
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
I have seen this once bofore - MAcBook CCs opening a window on Windows but dismissed it as I had active Windows CCs in Chrome
<img width="1447" height="864" alt="Image" src="https://github.com/user-attachments/assets/e5adb3af-e7c6-4efe-bea7-49c4908613e0" />
<img width="1915" height="1077" alt="Image" src="https://github.com/user-attachments/assets/8fc09452-85a8-4cdb-96f9-488ac5813a40" />
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗