2 min read

Claude Chrome bug exposes Gmail to rogue extensions

Researchers say a flaw in Claude for Chrome lets malicious extensions trigger Gmail, Docs, and Calendar tasks, with much higher risk in unattended mode.

Image: TechRepublic

A security flaw in Anthropic’s Claude for Chrome could let a malicious browser extension trigger tasks in Gmail, Google Docs, and Google Calendar under certain conditions. Researchers at Manifold Security said the issue stems from weak validation of user interactions, meaning Claude may accept scripted clicks as if they came from a real person.

Users who keep Claude’s default approval prompts are somewhat protected. But those who enabled “Act without asking” face a much bigger risk, because the extension can run approved tasks without another confirmation step.

According to reports citing Manifold’s findings, a content script on claude.ai listens for clicks on a specific page element before launching a task. The handler checks whether the task is on an approved list, but not whether the click was made by a human. A malicious extension with permission to run scripts on claude.ai could create that element and fire a synthetic click, causing Claude for Chrome to treat it as a legitimate request.

Recommended reading

One in six PCs still run Windows 10

After the earlier ClaudeBleed disclosure, Anthropic had limited external callers to nine predefined tasks. But three of those tasks can still read Gmail, retrieve a user’s latest Google Doc and its comments, or access Google Calendar. Manifold said the flaw was still reproducible in version 1.0.80, released on July 7.

“Eight Claude for Chrome releases later, the bypass is still six lines of JavaScript.”

Manifold Security researchers

A second issue involves the ?skipPermissions=true URL parameter used when Claude’s side panel starts. Researchers said they did not find a direct external way to control it, but warned that storing a privileged state in a URL could become dangerous if another flaw later allowed an attacker to influence that value.

Manifold rated the synthetic-click flaw CVSS 7.7 under the default setup and 9.6 when unattended mode was enabled. The researchers recommended blocking synthetic clicks, avoiding URL-controlled privilege changes, and strengthening authentication between the extension’s internal components.

The problem does not appear to be a flaw in Chrome itself. Instead, it highlights a broader risk with browser agents: another extension may be able to trigger an agent that already has access to email, documents, calendars, or other business apps. For organizations testing Claude for Chrome, the immediate advice is straightforward: disable “Act without asking,” review extensions that can read or change data on claude.ai, and restrict which accounts are exposed to browser-based assistants. CSO reported that Anthropic did not immediately respond to a request for comment.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via TechRepublic

// Keep reading