• 3 min read
Claude Chrome bug can trigger AI actions via fake clicks
Researchers say Anthropic’s Claude for Chrome accepts synthetic clicks, letting a malicious extension launch built-in workflows in Gmail, Docs, Calendar, and Salesforce.

Image: BleepingComputer
A flaw in Anthropic’s Claude for Chrome could let a malicious browser extension trigger the assistant’s built-in actions by faking user clicks. According to Ax Sharma of Manifold Security, the issue could be used to abuse Claude’s access to connected services including Gmail, Google Docs, Google Calendar, and Salesforce.
The problem comes from how the extension decides whether a user intentionally launched one of its predefined workflows. Browser extensions that are allowed to run on a site can inject JavaScript into the page, modify elements, read visible content, and generate click or keyboard events programmatically.
Manifold’s report says the Claude extension listens for click events on a specific page element that starts one of its built-in workflows. The supported tasks include:
- usecase-gmail: read recent Gmail, identify promotional emails, and click unsubscribe
- usecase-gdocs: open the user’s latest Google Doc and read comments and feedback
- usecase-calendar: read Google Calendar, find free slots, and create meetings
- usecase-salesforce: modify Salesforce leads and convert them to opportunities
How the synthetic click issue works
The researchers found that the extension accepted JavaScript-generated click events without checking whether they came from a real user. In browsers, genuine user actions are marked with Event.isTrusted = true, while script-generated events are marked false.
According to Manifold, Claude did not verify Event.isTrusted before running a workflow. That means a malicious extension with permission to modify content on the claude.ai domain could inject an element containing one of the supported task identifiers, fire a synthetic click, and have Claude treat it as legitimate.

Recommended reading
One in six PCs still run Windows 10
Sharma noted that this does not enable arbitrary prompt injection. The attack is limited to the nine predefined tasks built into the extension, and it also requires the victim to install a malicious extension capable of executing code on claude.ai.
Even so, the researchers say the flaw could let that malicious extension piggyback on Claude’s authenticated access to other services. The impact depends on how Claude is configured and whether the user has enabled “Act without asking,” an optional setting that allows predefined workflows to run automatically.
The team also identified an internal skipPermissions=true parameter that bypassed some permission checks when launching the extension. But Manifold said that issue was not directly exploitable on its own and would need another vulnerability to make use of a specially crafted URL.
Anthropic acknowledged both reports through its bug bounty program. The company closed the synthetic-click report, saying it was already tracking the issue more broadly, while the skipPermissions=true finding was classified as informational.
Manifold says both flaws were still reproducible in version 1.0.80, released on July 7.
“Manifold verified July 7 that both findings remain reproducible in 1.0.80. The content script and side-panel handlers we cited are byte-identical to the v1.0.72 source.”
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via BleepingComputer


