Fetching from the wire…
Top 5 · 2026-03-11 · source-backed
Palo Alto Unit 42 disclosed a CVSS 8.8 vulnerability in Chrome's built-in Gemini panel that demonstrates a fundamentally new attack surface. A malicious extension using only basic ad-blocker-level permissions (declarativeNetRequests API) could inject JavaScript into the privileged Gemini side panel, escalating to: camera/microphone access without consent, local file system access, screenshot capture, and phishing via the hijacked panel. The attack required only installing the extension and clicking the Gemini button — zero additional interaction. Patched in Chrome 143.0.7499.192, but the lesson is architectural: embedding AI into browsers creates privilege escalation surfaces that don't exist in traditional browser security models. Unit 42 | The Hacker News
Each link below shares sources, entities, or timing with this story.
Gemini uses Chrome / Shared entities / Same source / Shared topic / What happened next
Linked by a graph relationship (Gemini uses Chrome); both cover Chrome, CVE, Gemini, Unit; cite the same source (Unit 42).
Gemini uses Chrome / Shared entities / Same source domain / Earlier coverage
Linked by a graph relationship (Gemini uses Chrome); both cover CVE, Gemini, The Hacker News; reported by the same outlet (thehackernews.com).
Chrome supports WebMCP / Shared entities / Shared topic / Earlier coverage / Tension
Linked by a graph relationship (Chrome supports WebMCP); both cover Chrome, JavaScript; overlapping topics (access, browser, chrome).
Gemini uses Chrome / Shared entities / Same source domain / Shared topic / What happened next
Linked by a graph relationship (Gemini uses Chrome); both cover Chrome, CVE, CVSS; reported by the same outlet (thehackernews.com).
Gemini uses Chrome / Shared entities / What happened next
Linked by a graph relationship (Gemini uses Chrome); both cover CVE, Gemini, The Hacker News; picks up the CVE thread on 2026-07-08.
Gemini uses Chrome / Shared entities / Shared topic / What happened next
Linked by a graph relationship (Gemini uses Chrome); both cover Chrome, Gemini; overlapping topics (chrome, gemini).
Google released Chrome / Shared entities / Same source domain / What happened next
Linked by a graph relationship (Google released Chrome); both cover CVE, CVSS; reported by the same outlet (thehackernews.com).
Cursor supports Gemini / Shared entities / Same source domain / What happened next
Linked by a graph relationship (Cursor supports Gemini); both cover CVE, The Hacker News; reported by the same outlet (thehackernews.com).