Spyder and MaXSS Flaws in SiderAI and MaxAI Chrome Extensions Expose 10 Million Users to Silent Browser Compromise
Critical vulnerabilities in the SiderAI and MaxAI Chrome extensions, installed on over 10 million devices, allow attackers to silently extract Gmail, calendar, and AI conversation data without any user interaction.
Security researchers at Rebora Security have disclosed two critical vulnerabilities, dubbed "Spyder" and "MaXSS," affecting the widely used Chrome extensions SiderAI and MaxAI. These AI-powered "agentic side panel" extensions, designed to enhance browsing with automated summaries and AI-driven assistance, are installed on more than 10 million devices across Chrome-compatible browsers. SiderAI alone ranks among the top 25 extensions on the Chrome Web Store, underscoring the massive scale of exposure.
The flaws stem from insecure message handling in the extensions' content scripts, which act as intermediaries between web pages and the extension's background processes. In a properly secured extension, content scripts enforce strict isolation, validating any data passed from a website before forwarding it to privileged components. However, both SiderAI and MaxAI failed to perform this validation, allowing malicious websites to send crafted messages that the content script would then forward without verification.
In the case of MaxAI, researchers found that a malicious website could exploit this flaw to execute privileged actions such as opening hidden tabs, capturing screenshots, and interacting with user accounts. In a demonstrated attack, the researchers accessed Gmail and Google Calendar sessions, extracting sensitive information like emails and authentication tokens without the user's knowledge. The "MaXSS" vulnerability, as it was named, effectively broke the browser's trust boundary, enabling an attacker to act on behalf of the user across any website.
The "Spyder" vulnerability in SiderAI similarly allowed attackers to simulate user interactions, such as clicks and keystrokes, across embedded web sessions. By abusing this capability, a malicious site could silently open services like Google Gemini, extract private AI conversation data, and leak it externally. In some cases, the permissions granted to these extensions could even allow access to local files on the user's operating system, making the potential impact far-reaching.
Exploitation requires no user interaction beyond visiting a malicious webpage, making the attack vector both stealthy and highly scalable. Attackers could read emails, steal authentication tokens, manipulate documents, and execute actions on behalf of the user across virtually any website. The researchers noted that the extensions' permissions, often granted by users for legitimate AI functionality, could be abused to access sensitive data from services like Gmail, Google Calendar, and AI platforms.
Rebora Security reported the issues to the extension vendors but received no response. Due to the severity of the flaws, the findings were publicly disclosed, and Google, as the operator of the Chrome Web Store, was also notified. Users are strongly advised to verify whether SiderAI or MaxAI are installed in their browsers and remove them immediately if present. The incident underscores the growing risks associated with AI-integrated browser extensions, which often require broad permissions that can be exploited when security boundaries are not properly maintained.