←back to thread

Claude for Chrome

(www.anthropic.com)
795 points davidbarker | 1 comments | 26 Aug 25 19:01 UTC | HN request time: 0s | source
Show context
dfabulich ◴[27 Aug 25 01:10 UTC] No.45034300[source]
Claude for Chrome seems to be walking right into the "lethal trifecta." https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

"The lethal trifecta of capabilities is:"

Access to your private data—one of the most common purposes of tools in the first place!

Exposure to untrusted content—any mechanism by which text (or images) controlled by a malicious attacker could become available to your LLM

The ability to externally communicate in a way that could be used to steal your data (I often call this “exfiltration” but I’m not confident that term is widely understood.)

If your agent combines these three features, an attacker can easily trick it into accessing your private data and sending it to that attacker.

replies(11): >>45034378 #>>45034587 #>>45034866 #>>45035318 #>>45035331 #>>45036212 #>>45036454 #>>45036497 #>>45036635 #>>45040651 #>>45041262 #
victorbjorklund ◴[27 Aug 25 06:47 UTC] No.45036212[source]
I wonder if one way to mitigate the risk would be that by default the LLM cant send requests using your cookies etc. You would actively have to grant it access (maybe per request) for each request it makes with your credentials. That way by default it can't fuck up (that bad) and you can choose where it is accetable to risk it (your HN account might be OK to risk but not your back account)
replies(2): >>45037675 #>>45037733 #
johnfn ◴[27 Aug 25 10:32 UTC] No.45037733[source]
This kind of reminds me of `--dangerously-skip-permissions` in Claude Code, and yet look how cavalier we are about that! Perhaps you could extend the idea by sandboxing the browser to have "harmless" cookies but not "harmful" ones. Hm, maybe that doesn't work, because gmail is harmful, but without gmail, you can't really do anything. Hmm...
replies(1): >>45067586 #
1. victorbjorklund ◴[29 Aug 25 18:17 UTC] No.45067586[source]
Made me think (never gonna happen but still) maybe we could have different cookies/sessions for the agents and for ourself where the webapp can decide what permissions either can have. For gmail maybe you could allow the agent to read your email but not send email and so on.