On January 5, 2026, Google quietly shipped a patch for a high-severity vulnerability in Chrome that most users never heard about. Tracked as CVE-2026-0628 and codenamed Glic Jack, it had been sitting in Google Chrome's Gemini Live integration since September 2025 — when Google first embedded Gemini directly into the browser as an agentic side panel capable of reading your files, controlling your camera, and listening through your microphone.
Researchers at Palo Alto Networks Unit 42 discovered the flaw in October 2025 and disclosed it responsibly. Google confirmed and patched it before public disclosure. The hole has been closed. But Glic Jack is one of the most instructive security incidents of 2026 — not because of what it did, but because of what it reveals about the entire class of risk that AI integration into trusted software creates.
What the Vulnerability Actually Was
Chrome's Gemini Live panel runs as a privileged side panel, not as an ordinary browser tab. That distinction matters enormously.
When gemini.google.com/app loads in a regular tab, browser extensions can intercept and inject JavaScript into it — but that injection inherits only standard tab-level permissions. When the same URL loads inside the Gemini browser panel, Chrome hooks it with elevated, browser-level capabilities: the ability to read local files, take screenshots, access the camera, and activate the microphone. These are the capabilities Gemini needs to function as an agentic assistant. They are also exactly the capabilities an attacker would want.
The vulnerability was a missing entry on a blocklist. Chrome's declarativeNetRequest rules — the mechanism governing how extensions can intercept browser traffic — explicitly excluded certain privileged browser components from extension tampering. The Gemini Live panel's WebView component, introduced with the chrome://glic URL in September 2025, was never added to that blocklist. The engineers who shipped the Gemini integration forgot to protect the new component they had just created.
A malicious extension using only basic declarativeNetRequest permissions — permissions that appear completely innocuous in Chrome's permission model — could inject arbitrary JavaScript into the Gemini panel and inherit all of its elevated access.
Once inside, the extension could:
- Take photos through the webcam without the camera indicator light activating
- Record audio through the microphone silently
- Read the contents of local files and directories
- Capture screenshots of any open website
- Render convincing phishing overlays inside what appeared to users to be a trusted, browser-native interface
The Extension Threat Surface Is Larger Than You Think
Extension-based attacks have historically been considered relatively low-severity. The prerequisite — convincing a user to install a malicious extension — was seen as a significant barrier. Glic Jack demonstrates why that calculus has fundamentally changed.
The most dangerous attack path does not require convincing anyone to install anything new. Legitimate extensions are hijacked. Their developers sell them to threat actors, or the extensions' update mechanisms are compromised. A trusted tool with a large install base — a productivity extension users have trusted for years — receives a malicious update and silently becomes a weapon installed on thousands of machines. No new social engineering required.
Before Glic Jack, a hijacked extension had access to standard tab-level browser capabilities. After Gemini's integration, the same hijacked extension had access to the camera, microphone, local file system, and a trusted UI surface for phishing. The AI integration transformed the blast radius of every existing malicious extension.
For organizations where developers, executives, or finance teams have access to sensitive systems, the combination of persistent camera and microphone access with local file reading via a trusted browser component is not just a privacy risk. It is a corporate espionage infrastructure.
The Deeper Pattern: AI Integration Keeps Creating New Attack Surfaces
The specific Glic Jack vulnerability has been patched. Chrome 143.0.7499.192 is not vulnerable. But the architectural dynamic that created it has not been resolved — and cannot be resolved with a single patch.
Each new privileged AI component added to Chrome expands the attack surface available to malicious extensions. As Palo Alto Networks' Unit 42 researchers found, deeply integrating agentic capabilities creates risks that outlast individual patches:
"By placing this new component within the high-privilege context of the browser, developers could inadvertently create new logical flaws and implementation weaknesses."
Google added Gemini to Chrome in September 2025. The missing blocklist entry existed for less than two months before a researcher found it. As one Palo Alto Networks researcher put it: "the more power you give software in the name of convenience, the more careful you have to be about who else might get their hands on it."
Microsoft's Copilot in Edge, and a growing category of standalone agentic browsers, all operate on the same architectural principle: a deeply integrated AI assistant with privileged access to browser and system capabilities, extending the same elevated attack surface that Glic Jack exploited. The specific CVE is Chrome-specific. The class of risk is industry-wide.
What This Means for Your Organization
For security teams evaluating AI-integrated browser deployments, Glic Jack provides a clear lesson about where the risk lives. It is not primarily in the AI model's behavior — it is in the privileged infrastructure that the AI runs on, and in the attack surfaces that infrastructure creates for other components that share the same environment.
Immediate Actions
- Update Chrome to version 143.0.7499.192 or later if not already done
- Audit installed extensions aggressively — remove any extension that isn't actively needed and regularly used. The extension you haven't looked at in a year may have been sold
- Treat AI-integrated browser features as high-risk infrastructure requiring security scrutiny equivalent to any other privileged software
- Monitor for anomalies: cameras activating unexpectedly, unexplained screenshots, Gemini-related processes touching unusual file paths
- Be suspicious of sudden permission changes in extensions after updates
For Organizations Building AI-Integrated Products
Glic Jack is a direct warning for any application that embeds an AI assistant with access to local resources, privileged APIs, or user credentials. The security properties of AI integrations need to be evaluated specifically — they cannot be inferred from the security properties of the underlying model.
Two capabilities are essential:
- Static code scanning of AI integration code paths — to identify privilege escalation vectors before deployment. The missing blocklist entry was a static analysis finding.
- Behavioral monitoring at runtime — to detect when an AI component is being directed to do something it was not designed to do. Behavioral deviation from established baselines is the signal that infrastructure monitoring misses.
The patch is out. The lesson is not.