Glic Jack: The Google Chrome Gemini Vulnerability That Exposes Camera and Microphone

A high-severity security vulnerability was discovered in Google Chrome's built-in AI assistant, Gemini, exposing users to unauthorized access to their camera and microphone, local file theft, and phishing attacks, all without requiring any user interaction beyond opening the browser's built-in AI panel.

Tracked as CVE-2026-0628 and nicknamed "Glic Jack" (from Gemini Live in Chrome hijack), the flaw was discovered by researchers at Palo Alto Networks' Unit 42 and responsibly disclosed to Google on October 23, 2025. Google confirmed the issue and released a patch on January 5, 2026, ahead of public disclosure on March 2, 2026.


The rise of "agentic browsers" and new risks

Gemini Live in Chrome is part of a growing class of "AI browsers" that integrate AI assistants directly into the browsing environment. These assistants, which also include Microsoft Copilot in Edge and standalone products like Atlas and Comet, operate as privileged side panels capable of summarizing web pages in real time, automating tasks, and providing contextual assistance.

Because these AI panels need a "multimodal" view of the user's screen to work effectively, Chrome grants the Gemini panel elevated permissions, including access to the camera, microphone, local files, and the ability to capture screenshots. This privileged architecture, while enabling powerful features, dramatically widens the browser's attack surface.


Technical analysis: how the exploit worked

The flaw lay in how Chrome handled the declarativeNetRequest API, a standard browser extension permission that lets extensions intercept and modify HTTPS requests and responses (widely used, for example, by ad blockers).

Researchers found a critical inconsistency in how Chrome processed requests to https://gemini.google.com/app:

  1. In a normal tab: when the URL loads in a regular browser tab, extensions can intercept and inject JavaScript, but this doesn't grant any special privileges.
  2. In the Gemini panel: when the same URL loads inside Gemini's side panel, Chrome attaches it with elevated browser-level capabilities (via the <webview> tag).

By exploiting this inconsistency, a malicious extension with basic permissions could inject arbitrary JavaScript into the privileged Gemini panel, effectively hijacking a trusted browser component and inheriting all of its elevated access.


Impact and attack capabilities

Once an attacker gained control of the Gemini panel through this technique, they could carry out the following actions without any user interaction (beyond clicking the Gemini button):

Attack capability Impact
Camera and microphone activation Silent surveillance without user consent.
Screenshot capture Exfiltration of sensitive data displayed on screen.
Access to local files and directories OS-level file theft.
Phishing via a trusted panel Highly credible deception attacks.

The phishing risk is particularly dangerous because the Gemini panel is a trusted, built-in browser component. Malicious content displayed inside it carries an inherent legitimacy that traditional phishing pages lack.


The role of malicious extensions

Extension-based attacks have historically been considered low-risk because of the prerequisites needed to get a malicious extension installed. However, the integration of privileged AI panels fundamentally changes that calculus.

The number of malicious extensions distributed through official stores has grown significantly. Many are removed quickly, but not before reaching thousands of users. In addition, legitimate extensions have sometimes been compromised or sold to malicious actors who then pushed malicious updates to unsuspecting users, turning trusted tools into silent weapons.

In enterprise settings, a compromised extension that gains access to camera, microphone, and local files represents a serious organizational security risk, with potential for industrial espionage and proprietary data exfiltration.


How to protect yourself

Google released the fix on January 5, 2026 in version 143.0.7499.192 (or later).

  • Update immediately: make sure Chrome is updated to the latest available version on all endpoints.
  • Audit extensions: periodically review installed extensions and remove any that are unnecessary or of dubious origin.
  • Least privilege principle: in enterprise environments, restrict users' ability to install unapproved extensions.

The incident underscores that the security of AI models and their integrations isn't just about the quality of their output, but also about the robustness of the infrastructure that hosts them.


References:

Article by the F-Hack Team - March 4, 2026