Your comment seems very dismissive in the way you phrase this as intended behaviour. A security flaw like this can impossibly be intended behaviour.
In my previous comment i also say thats calling it malware is a bit far-fetched but the security issues are absolutely there and should not be dismissed as “intended behaviour”. Especially not by a company like Anthropic.
I am not well versed in extension development but is there anything stopping me from making an open source extension and just defining the ID as one of the three in the article? It most likely couldnt be released via the chrome addon store but if it is installed outside of thar? And how are these IDs read after install, could it potentially be altered by something from the outside?
I immediately see so many flaws with this implementation it is worrying that a company the size of Anthropic does this.
Did i say malware is being installed? And am i not allowed to hypothesize?
I see the security hole. I imagine some ways it could be abused by an attacker. I admit I am not knowledgable in extension development to make it clear those are hypothesized ideas. Hell theyre even phrased like question? I even agree this is not directly malware and that saying so is a stretch.