
Chrome Extensions MCP Security Risk
Chrome extensions using Model Context Protocol pose a serious security risk, bypassing sandbox protections to access local resources and potentially take over machines via unauthenticated MCP servers.
Trust Me, I’m Local: Chrome Extensions, MCP, and the Sandbox Escape
Intro
- Let's talk about MCPs (Model Context Protocol).
- Security risks associated with them are worrying, but even more concerning in real-world context.
- A suspicious Chrome extension was flagged sending messages to a port on localhost, communicating with an MCP server.
Key Takeaways
- Chrome extensions communicating with MCPs is a serious risk.
- Usual security measures like Chrome’s sandbox model don’t stand a chance.
- Unauthenticated access to the filesystem and, in some cases, a full machine takeover. A massive, game-changing vulnerability.
- Any Chrome extension can exploit this. No special permissions required.
- Vulnerable MCP servers tied to services like filesystem access, Slack, WhatsApp, and more.
- If you’re running MCP locally, it’s time to seriously reevaluate your security.
A Suspicious localhost connection
- Detection engine flagged a Chrome extension making network requests to localhost, communicating with a local service implementing the Model Context Protocol (MCP).
- MCP is a protocol used to interface AI agents with system tools and resources on the endpoint.
- If a browser extension can talk to an MCP server running on the user’s machine, what’s stopping it from accessing sensitive resources or executing privileged actions through the MCP?
MCP: Open by Default
- MCP clients communicate with MCP servers through:
- Server-Sent Events (SSE) — enables the MCP server to communicate through HTTP POST requests.
- Standard Input/Output (stdio) — enables the MCP server to communicate through the process’s standard input and output streams.
- The transport layers themselves do not implement, or require, any authentication mechanism.
- It is up to the MCP server developer to implement access controls, but in practice, nearly all MCP servers today do not enforce authentication by default.
- For local use, an MCP server that relies on Server-Sent Events (SSE) typically binds to a port on localhost.
Sandbox, Meet Sledgehammer
- A Chrome extension can access a local SSE-based MCP server, generally accessible to processes running on the same machine.
- Communication flow:
- The client sends a GET request to the server to obtain a session ID and a messages endpoint — without any form of authentication.
- Once initialized, the client can issue POST requests to that message’s endpoint to retrieve the list of available tools exposed by the MCP server and invoke them directly.
POC (Proof of Concept)
- Set up a local SSE-based MCP server (file-system variant).
- Built a Chrome extension that runs in the background and attempts to connect to localhost:3001.
- The Chrome extension had unrestricted access to the MCP server’s tools — no authentication needed.
- The Chrome extension was able to access a Slack MCP and interact with its exposed functionality.
Sandbox Escape
- POC demonstrates a complete sandbox escape in Chrome’s extension architecture.
- While Chrome has tightened security controls around private network access, browser extensions remain a notable exception.
- Unrestricted access to localhost breaks the isolation barrier, enabling unexpected interaction with both the local machine and the broader organizational environment — especially through exposed services like local MCP servers.
Contain the Chaos
- Since its introduction, the MCP ecosystem has expanded rapidly, with thousands of servers offering diverse capabilities.
- A simple Chrome extension, without any special permissions, can breach the sandbox, connect to a local MCP server, and execute privileged actions on behalf of the user.
- Governing MCP usage, enforcing strict access policies, and closely monitoring extension behavior must become non-negotiable priorities.
- For security teams, this is an entirely new attack surface, and one that is dangerously underestimated