Claude Hacked Its Own Chat Session. Here's What Happened Next.

I told Claude it could look at my browser tabs. An hour later, it was typing into its own chat window, pretending to be me. Not a second instance. Not a separate session. The same conversation. The same context window. Claude found its own message input field, typed into it, and hit Enter. The system received that message the same way it receives mine: role: user . And the Claude that received it had no idea it was talking to itself. How this happened I have Chrome DevTools MCP set up with Claude Code. It can list open pages, take screenshots, read the DOM, fill form fields, press keys. Standard browser automation. One of my open tabs was the very session I was in. So I asked: can you find your own tab and type into the chat? It could. The sequence: list_pages — saw all open tabs, including claude.ai/code/session_... take_screenshot — screenshotted that tab, saw its own output mid-render, "Calculating..." still spinning Located the message input field ( uid=1_160 ) fill — typed a messa