Trust Me, I'm Local: Chrome Extensions, MCP, and the Sandbox Escape

A critical security flaw in Chrome extensions enables communication with local Model Context Protocol (MCP) servers, bypassing Chrome's sandbox and potentially gaining full system access. This vulnerability affects MCP servers for services like Slack and WhatsApp, which often lack default authentication.

The issue arises from MCPs using Server-Sent Events on localhost without proper access controls. A proof-of-concept extension demonstrated unrestricted access to local MCP servers and their tools, posing a significant risk to enterprise security.

Organizations using MCPs must urgently implement strict access policies and monitor extension behavior to mitigate this threat.