# Millions of Users at Risk Due to Flaws in Popular Chrome Extensions

*Published June 22, 2026*
*Source: [https://cybersecuritynews.com/chrome-extensions-critical-vulnerabilities/](https://cybersecuritynews.com/chrome-extensions-critical-vulnerabilities/)*

## Executive Summary

Critical vulnerabilities in the SiderAI and MaxAI Chrome extensions expose millions of users to significant security risks. These flaws allow attackers to execute privileged actions and access sensitive data, posing a severe threat to user privacy.

## Article

Security vulnerabilities in two AI-powered Chrome extensions, SiderAI and MaxAI, have been discovered, posing significant risks to millions of users. Researchers at Rebora Security identified critical flaws, named Spyder and MaXSS, within these widely used tools. These extensions, designed to enhance browsing through AI summaries and automation, have been installed on over 10 million devices. SiderAI is among the top 25 extensions on the Chrome Web Store, indicating a large scale of potential exposure. The vulnerabilities are rooted in the insecure handling of communication between web pages and the extensions' internal components, especially content scripts. These scripts should enforce strict isolation but failed to properly validate inputs from web pages. In MaxAI's case, crafted messages could be sent by malicious websites to the content script and then to the background process without verification. This allowed attackers to perform privileged actions such as opening hidden tabs, capturing screenshots, and accessing user accounts. In demonstration scenarios, researchers were able to access Gmail and Google Calendar sessions without user knowledge, extracting sensitive information. Similarly, the Spyder flaw in SiderAI allowed attackers to mimic user interactions like clicks and keystrokes across web sessions, enabling them to open services like Google Gemini and extract private AI conversation data. This breach of trust boundaries poses extensive risks, including email reading, authentication token theft, document manipulation, and even local file access on some systems. Alarmingly, these attacks require no user interaction beyond visiting a malicious webpage, making them highly stealthy and scalable. Rebora Security reported these issues to the extension vendors but received no response, prompting public disclosure and notification to Google. Users are strongly advised to check for the presence of SiderAI or MaxAI in their browsers and remove them immediately. This incident highlights the escalating risks associated with AI-integrated browser extensions and emphasizes the importance of endpoint security.