HN Distilled

Essential insights from Hacker News discussions

Claude for Chrome

Original Article

Hacker News Discussion

This discussion highlights significant concerns and diverse opinions regarding AI's integration into web browsing, particularly with Anthropic's Claude for Chrome. The core themes revolve around security vulnerabilities, the potential for misuse, the erosion of privacy, and the fundamental shift in human-computer interaction.

Security Vulnerabilities and Prompt Injection

A major concern is the inherent insecurity of allowing AI direct browser access, primarily due to prompt injection attacks. Users expressed alarm at the potential for malicious actors to exploit these systems.

  • rustc stated, "> Malicious actors can hide instructions in websites, emails, and documents that trick AI into taking harmful actions without your knowledge, including:

    • Accessing your accounts or files

    • Sharing your private information

    • Making purchases on your behalf

    • Taking actions you never intended

    This should really be at the top of the page and not one full screen below the "Try" button."

  • rvz elaborated on the specific risks: "Then it's a great time to be a LLM security researcher then. Think about all the issues that attackers can do with these LLMs in the browser:

    • Mislead agents to paying for goods with the wrong address

    • Crypto wallets drained because the agent was told to send it to another wallet but it sent it to the wrong one.

    • Account takeover via summarization, because a hidden comment told the agent additional hidden instructions.

    • Sending your account details and passwords to another email address and telling the agent that the email was [company name] customer service.

    All via prompt injection alone."

  • biggestfan highlighted a specific statistic from Anthropic, stating, "According to their own blog post, even after mitigations, the model still has an 11% attack success rate." This statistic was met with significant concern:

    • aquova reacted with "I'm honestly dumbfounded this made it off the cutting room floor. A 1 in 9 chance for a given attack to succeed? And that's just the tests they came up with! You couldn't pay me to use it, which is good, because I doubt my account would keep that money in it for long."
    • rafram echoed this sentiment: "> When we added safety mitigations to autonomous mode, we reduced the attack success rate of 23.6% to 11.2%. Ah, so the attacker will only get full access to my information and control over my accounts ~10% of the time. Comforting!"
    • kylehotchkiss further illustrated the danger: "yeah the last 1% will just be targeted at your 401k and brokerages so 99% of the time you're fine and the last 1% you'll be drained of every penny"

  • freeone3000 pointed out what they saw as a significant flaw: "Because the flaws are glaring, obvious, and easily avoidable."

  • mynameismon contrasted this with OS releases: "At the same time, manufacturers do not release operating systems with extremely obvious flaws that have (atleast so far) no reasonable guardrails and pretend that they are the next messiah."

  • asgraham strongly differentiated this from OS vulnerabilities: "First of all, you absolutely cannot release an OS with a known zero day. IANAL but that feels a lot like negligence that creates liability. But even ignoring that, the gulf between zero days and plain-text LLM prompt injection is miles wide. Zero days require intensive research to find, and expertise to exploit. LLM prompt injections obviously exist a priori, and exploiting them requires only the ability to write."

  • rustc provided a stark analogy: "This is like curl | bash but you automatically execute the code on every webpage you visit with full access to your browser."

  • captainkrtek agreed: "Basically undoing years of effort to isolate web properties from affecting other properties."

Erosion of Privacy and Data Concerns

The ability of AI agents to access and process user data raises significant privacy concerns. Users are worried about how their browsing history and personal information will be handled.

  • prodigycorp stated, "Besides prompt injection, be ready to kiss your privacy goodbye. You should be assuming you're handing over your entire browsing contents/history to Anthropic. Any of your content that doesn't follow Anthropic's very narrow acceptable use policy will be automatically flagged and stored on their servers indefinitely."

  • srameshc expressed a similar sentiment, noting, "It's nice that they enumerate the risks: [link to Anthropic article] It's much less nice that they're more-or-less silent on how to mitigate those risks." This was followed by rafram's quote about the 11% attack success rate, highlighting the perceived inadequacy of their mitigations.

The "Annoyance" of Security vs. User Convenience

A recurring theme is the perceived trade-off between user convenience and security, with some users suggesting that the drive for convenience is leading to a dangerous disregard for established security practices.

  • strange_quark lamented, "It's insane how we're throwing out decades of security research because it's slightly annoying to have to write your own emails."

  • captainkrtek added, "The absolute disregard is astonishing. How big of an incident will it take for any restraint to exist? Folks on HN are at least somewhat informed of the risks and can make choices, but the typical user still expects some modicum of security when installing an app or using a service."

  • goosejuice offered a counterpoint and explanation: "A typical user also happily gives away all their personal information for free just to scroll through cat videos or see what % irish they are. Even the HN crowd aimlessly runs curl | sh, npm i -g, and rando browser ext. I agree, it's ridiculous but this isn't anything new."

  • jjice blamed a user mindset: "My theory is that the average user of an LLM is close enough to the average user of a computer and I've found that the general consensus is that security practices are "annoying" and "get in the way". The same kind of user who hates anything MFA and writes their password on a sticky note that they stick to their monitor in the office."

  • TeMPOraL defended this mindset: "'Because they usually are and they do. ... This kind of user has a better feel for threat landscape than most armchair infosec specialists. People go around security measures not out of some ill will or stupidity, but because those measures do not recognize the reality of the situation and tasks at hand."

Parallels to Early Web Dangers and Technological Evolution

Some users drew parallels between the current state of AI browser integration and the early, less secure days of the internet, framing it as a potentially dangerous but ultimately evolutionary step.

  • echelon used an analogy: "When we felt we were getting close to flight, people were jumping off buildings in wing suits. And then, the Wright Bros. cracked the problem. Rocketry, Apollo... Same thing here. And it's bound to have the same consequences, both good and bad. Let's not forget how dangerous the early web was with all of the random downloadables and popups that installed exe files. Evolution finds a way, but it leaves a mountain of bodies in the wake."

  • strange_quark pushed back on this analogy: "> When we felt we were getting close to flight, people were jumping off buildings in wing suits. And then, the Wright Bros. cracked the problem. Yeah they cracked the problem with a completely different technology. Letting LLMs do things in a browser autonomously is insane. > Let's not forget how dangerous the early web was with all of the random downloadables and popups that installed exe files. And now we are unwinding all of those mitigations all in the name of not having to write your own emails."

  • wrs agreed with the negative sentiment: "The problem is exactly that we seem to have forgotten how dangerous the early web was and are blithely reproducing that history."

  • jare expressed concern about the scale of risk: "I'm ok with individual pioneers taking high but informed risks in the name of progress. But this sounds like companies putting millions of users in wing suits instead."

The Value of Human Interaction and Potential Meaninglessness

A notable theme is the concern that AI automation, particularly in communication, could devalue human interaction and lead to a sense of emptiness or meaninglessness.

  • bbarnett expressed strong feelings about AI in personal communication: "But as soon it gets one on one, the use of AI should almost be a crime. It certainly should be a social taboo. It's almost akin to talking to a person, one on one, and discovering they have a hidden earpiece, and are being prompted on how to respond." They continued, "Replacing intimate human communication with AI, replacing one-on-one conversations with the humans we work with, play with, are friends with, with AI? That's sad. So very, very, very sad."

  • mrs6969 questioned the fundamental purpose of communication tools if AI abstracts the human element: "If AI generates, and fills, and uses it, what good do we have having a form? Feel like things get meaningless when ai starts doing it. Would you still be watching youtube, if you knew it is fully ai generated, or would you still be reading hackernews, if you know there not a single human writing here?"

  • ares623 predicted a societal shift: "And with outdoor places getting more and more rare/expensive, they’ll have no choice but to consume slop."

  • chankstein38 related this to the "point" of tools: "It's like emails. If, instead of writing an email, I gave AI some talking points and then told it to generate an email around that, then the person that I sent it to has AI summarize it.... What's the point of email? Why would we still use email at all?"

  • rpowers posed a similar question about other media: "If AI can just scan a video and provide bullet points, what's the point of the video at all? Same with UI/UX in general. Without real users, then it starts to feel meaningless."

Limitations in AI's Current Capabilities and the "Vibe Coding" Problem

Several comments pointed out the technical limitations of current LLMs in reliably interacting with complex web interfaces and the potential pitfalls of "vibe coding" or poorly implemented AI features.

  • aliljet shared their experience: "Having played a LOT with browser use, playwright, and puppeteer (all via MCP integrations and pythonic test cases), it's incredibly clear how quickly Claude (in particular) loses the thread as it starts to interact with the browser. There's a TON of visual and contextual information that just vanishes as you begin to do anything particularly complex."

  • MattSayar noted a similar issue: "Same. When I try to get it to do a simple loop (eg take screenshot, click next, repeat) it'll work for about five iterations (out of a hundred or so desired) then say, "All done, boss!"."

  • tripplyons emphasized the need for proof: "Definitely a good idea to wait for real evidence of it working. Hopefully they aren't just using the same model that wasn't really trained for browser use."

  • robots0only was skeptical of Anthropic's approach: "Claude is extremely poor at vision when compared to Gemini and ChatGPT. i think anthropic severely overfit their evals to coding/text etc. use cases. maybe naively adding browser use would work, but I am a bit skeptical."

  • parsabg offered a more technical critique: "It's clear to me that the tech just isn't there yet. The information density of a web page with standard representations (DOM, screenshot, etc) is an order of magnitude lower than that of, say, a document or piece of code, where LLMs shine. So we either need much better web page representations, or much more capable models, for this to work robustly."

  • vunderba critiqued the development process: "I don't know if this site was built by dogfooding with their own agents, but this just outlines a massive limitation where automated TDD doesn't come close to covering the basic question 'does my site look off?' when vibe coding."

  • jampa and coffeecoders highlighted the broken website itself, with coffeecoders providing a screenshot and rafram noting, "It's not only you. I tested in three different web browsers, each with their own rendering engine (Webkit, Chromium, Gecko), and all of them show no text. It’s not invisible, it’s plain not there." latexr elaborated, "Did they tell their AI to make a website and push to production without supervision?"

"Agentification" vs. APIs and the Future of the Web

There was a discussion about whether AI agents interacting with web UIs is the optimal path forward, with some suggesting that better APIs and structured data (like the proposed MCP) would be more robust and secure.

  • asdff questioned the approach: "All that is needed is to have computer vision and some basic HTML parsing to query databases so that we can query any website on the internet and download content from it. Instead, these agents are attempting to brute-force their way through the consumer front-end. This is the digital equivalent of building a house out of garbage when you could just use a pre-fabricated building kit that is already available."

  • bustodisgusto proposed a different model: "The DOM is merely inexpensive, but obviously the answer can't be solely in the DOM but in the visual representation layer because that's the final presentation to the user's face. Also the DOM is already the subject of cat and mouse games, this will just add a new scale and urgency to the problem. Now people will be putting fake content into the DOM and hiding content in the visual layer."

  • ambicapter countered the idea of readily available APIs: "Those APIs aren't generally available to the public, are they?"

  • dudeWithAMood provided a stark example from the travel industry: "Dude you do not understand how bad those "APIs" are for booking flights. Customers of Travelport often have screen reading software that reads/writes to a green screen. There's also tele-type, but like most of the GDS providers use old IBM TPF mainframes."

  • zukzuk noted the problem in healthcare: "This is a massive problem in healthcare, at least here in Canada. Most of the common EMRs doctors and other practitioners use either don’t have APIs, or if APIs exist they are closely guarded by the EMR vendors."

  • adam_arthur suggested a more refined approach to context: "The LLM should not be seeing the raw DOM in its context window, but a highly simplified and compact version of it. In general LLMs perform worse both when the context is larger and also when the context is less information dense."

  • felarof agreed and pointed to an existing solution: "Precisely! There is already something accessibility tree that Chromium rendering engine constructs which is a semantically meaningful version of the DOM. This is what we use at BrowserOS.com"

  • shawm proposed an alternative interaction model: "Maybe people will start making simpler/smaller websites in order to work better with AI tools. That would be nice."

  • onesociety2022 discussed the business implications: "Even the websites whose primary source of revenue is not ad impressions might be resistant to let the agents be the primary interface through which users interact with their service. Instacart currently seems to be very happy to let ChatGPT Operator use its website to place an order... But what happens when the primary interface for shopping with Instacart is no longer their website or their mobile app? OpenAI could demand a huge take rate for orders placed via ChatGPT agents, and if they don't agree to it, ChatGPT can strike a deal with a rival company and push traffic to that service instead."

Google's Dominance and Anthropic's Position

One user considered the competitive landscape, particularly Google's position in the browser market.

  • linhns mused, "With Google dominating the browser battle and Gemini being decent enough for these tasks, this must be a losing effort for Anthropic?"