Critical security vulnerabilities have been discovered in two of the most widely installed AI-powered Chrome extensions — SiderAI and MaxAI — putting more than 10 million users at risk of complete browser session compromise. Researchers at Rebora Security disclosed the findings publicly after the extension vendors failed to respond to responsible disclosure attempts. Google, as the operator of the Chrome Web Store, has also been notified.
The Vulnerabilities: Spyder and MaXSS
Two distinct vulnerabilities were uncovered, each affecting a different extension but sharing a common root cause: insecure handling of communication between web pages and the extension’s internal components.
MaXSS (MaxAI): Researchers found that malicious websites could send crafted messages to MaxAI’s content script, which would then forward them to the extension’s background process without proper verification. This effectively allowed attackers to execute privileged actions — including opening hidden browser tabs, capturing screenshots, and interacting with logged-in user accounts — entirely without user awareness. In a demonstrated attack scenario, researchers successfully accessed Gmail and Google Calendar sessions and extracted sensitive personal data.
Spyder (SiderAI): The Spyder vulnerability enabled attackers to simulate user interactions such as clicks and keystrokes across embedded web sessions. By abusing this capability, a malicious site could silently open services like Google Gemini, extract private AI conversation data, and exfiltrate it to attacker-controlled infrastructure. SiderAI ranks among the top 25 extensions on the Chrome Web Store, making the scale of potential exposure particularly alarming.
Root Cause: Broken Content Script Isolation
In Chrome extensions, content scripts act as intermediaries between websites and the extension’s background processes. They are supposed to enforce strict isolation between untrusted web page content and the extension’s privileged environment. Both SiderAI and MaxAI failed to validate inputs received from web pages, allowing untrusted content to cross this critical trust boundary.
The flaw is architecturally significant. AI-powered “agentic side panel” extensions are designed to observe and interact with the user’s browsing experience in real time, granting them unusually broad permissions — read access to all websites, screenshot capabilities, and the ability to interact with authenticated sessions. When input validation fails in this context, the blast radius is far larger than a typical browser extension vulnerability.
What Attackers Can Do
The attack requires no user interaction beyond visiting a malicious webpage. The impact of successful exploitation is extensive:
- Email theft: Read and exfiltrate messages from Gmail, Outlook, and other webmail platforms.
- Authentication token theft: Capture session cookies and OAuth tokens to hijack accounts across services.
- Document manipulation: Access and modify Google Docs, Microsoft 365, and other document services.
- AI conversation data leak: Extract private AI chat histories from ChatGPT, Claude, Gemini, and similar services.
- Local file access: In some configurations, extension permissions may allow access to local filesystem content.
- Lateral action execution: Perform actions on any website the user is logged into, silently and without indication.
Disclosure and Vendor Response
Rebora Security followed responsible disclosure procedures and contacted both SiderAI and MaxAI with details of the vulnerabilities. Neither vendor responded. Due to the severity of the findings and the large number of users at risk, the researchers made the decision to publicly disclose the vulnerabilities. Google has been informed as the Chrome Web Store operator. At time of publication, no patches have been released for either extension.
What Users Should Do
Users who have SiderAI or MaxAI installed should take immediate action:
- Remove both extensions immediately from all Chrome-based browsers (Chrome, Edge, Brave, Arc, and others that use the Chrome extension ecosystem).
- Rotate sensitive credentials for services you were logged into while these extensions were active, particularly email accounts, banking services, and any platform containing sensitive personal or business data.
- Review browser extension permissions across all installed extensions and remove any that have unnecessary access to all sites.
- Treat AI browser extensions with heightened scrutiny — their broad permission requirements make them high-value targets for both malicious developers and third-party vulnerabilities.
A Warning Sign for AI Browser Extensions
This disclosure is not an isolated incident. The Spyder and MaXSS vulnerabilities follow a pattern of security researchers finding critical flaws in AI-integrated browser extensions that have been granted unusually broad permissions without adequate security review. As AI side-panel extensions proliferate and users install them on tens of millions of devices, the Chrome extension ecosystem is becoming a significant attack surface that the security community has yet to fully reckon with. The combination of broad permissions, real-time web access, and insufficient input validation creates a dangerous recipe that threat actors are increasingly likely to target.