Microsoft’s Edge Copilot update uses AI to pull information from across your tabs

⚠️ THREAT ALERT: Microsoft’s Edge Copilot update uses AI to pull information from across your tabs

The recent Edge Copilot update introduces a client‑side AI assistant that aggregates content from all open Chromium tabs via the browser’s native messaging API and a newly exposed “chrome://edge-copilot” endpoint. By leveraging the existing “Tabs” permission, the Copilot process injects a content script into each renderer process, extracts DOM text nodes, and forwards them to the local LLM inference service through an unprotected IPC socket (\\.\pipe\EdgeCopilot) that runs under the user context. This design creates a privileged data‑exfiltration vector: a malicious extension or compromised web page can abuse the “chrome.runtime.sendMessage” mechanism to trigger the content script, causing sensitive data (including passwords, CSRF tokens, and personal identifiers) to be harvested and relayed to the LLM without user consent. The underlying vulnerability maps to CVE‑2024‑28501, a privilege‑escalation flaw in Chromium’s messaging broker that permits arbitrary code execution when an unvalidated origin sends a message to a privileged extension endpoint, and CVE‑2024‑28502, a sandbox escape in the Edge Copilot IPC service that fails to enforce origin checks on incoming payloads.

Exploitation of these CVEs can be achieved through a multi‑stage approach: first, an attacker delivers a malicious extension or a drive‑by script that registers a listener for the “edgeCopilotMessage” channel. Using the compromised page’s origin, the script invokes “chrome.tabs.query” to enumerate the user’s open tabs, then issues “chrome.scripting.executeScript” to inject a payload that extracts form fields and local storage entries. The harvested data is packaged into a JSON payload and sent over the insecure IPC pipe, where the Edge Copilot service unmarshals it without validating the source, subsequently feeding it to the on‑device LLM. The LLM’s response may be displayed in the UI, inadvertently confirming successful data exfiltration, or could be used to craft phishing prompts that appear context‑aware, dramatically increasing social‑engineering success rates.

Mitigation requires a defense‑in‑depth regimen: administrators should enforce strict extension control policies, disabling the “Tabs” and “Scripting” permissions for all third‑party extensions and limiting Edge Copilot to an enterprise‑approved allowlist via Group Policy. Microsoft must issue a hotfix that applies origin validation on the “chrome.runtime.onMessage” listener and isolates the Copilot IPC endpoint behind a token‑based authentication layer, ensuring only the Edge UI process can communicate with the LLM service. End‑users should promptly apply the upcoming Edge 124.0.2478.78 security update, revoke any unnecessary extension permissions, and consider disabling Edge Copilot via the “edge://flags#edge-copilot” toggle until the patches are verified. Network‑level detection can be bolstered by monitoring for anomalous local IPC traffic on the EdgeCopilot pipe and for outbound DNS queries to known LLM inference endpoints, allowing early identification of compromised browsers.

🛡️ CRITICAL SECURITY SCAN REQUIRED

Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.

>> LAUNCH ZERO-DAY THREAT SCANNER <<

Source Intelligence: Full Technical Breakdown