{"id":8772,"date":"2026-07-15T12:06:36","date_gmt":"2026-07-15T12:06:36","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8772"},"modified":"2026-07-15T12:06:36","modified_gmt":"2026-07-15T12:06:36","slug":"new-bugs-in-claude-for-chrome-allow-extensions-to-abuse-ai-privileges","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8772","title":{"rendered":"New bugs in Claude for Chrome allow extensions to abuse AI privileges"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p class=\"wp-block-paragraph\">Two vulnerabilities found in Anthropic\u2019s Claude for Chrome extension remain exploitable months after they were reported to the company, a research by Manifold Security noted.<\/p>\n<p class=\"wp-block-paragraph\">According to the researchers, the flaws can allow a malicious browser extension to trigger Claude into performing privileged actions, including reading Gmail messages, Google Docs content, and Calendar entries on behalf of a user.<\/p>\n<p class=\"wp-block-paragraph\">In a new blog post, the researchers said the issues are reproducible in Claude for Chrome version 1.0.80, released on July 7, and remain unresolved eight releases after they were first reported in May.<\/p>\n<p class=\"wp-block-paragraph\">\u201cAnthropic shipped v1.0.73 through v1.0.80 in the weeks following our report,\u201d the researchers <a href=\"https:\/\/www.manifold.security\/blog\/claude-for-chrome-extension-bypass\" target=\"_blank\" rel=\"noopener\">added<\/a>. \u201cThe internal tracking issue covering this class of vulnerability was marked \u2018resolved\u2019 in the weeks following our report.\u201d<\/p>\n<p class=\"wp-block-paragraph\">However, the content script and side-panel handlers in the latest version remain \u201cbyte-identical\u201d to v1.0.72 the researchers originally tested. Researchers drew parallels with the earlier <a href=\"https:\/\/www.csoonline.com\/article\/4168867\/claude-in-chrome-is-taking-orders-from-the-wrong-extensions.html\">ClaudeBleed<\/a> disclosure, where the issue was found exploitable despite Anthropic announcing a fix.<\/p>\n<p class=\"wp-block-paragraph\">Anthropic did not immediately respond to CSO\u2019s request for comment.<\/p>\n<h2 class=\"wp-block-heading\">Synthetic clicks trick trusted AI<\/h2>\n<p class=\"wp-block-paragraph\">The first vulnerability stems from how Claude for Chrome handles user interaction before executing privileged actions. According to Manifold, the extension\u2019s click handler does not verify whether an approval click originated from a real user through the browser\u2019s \u201cevent.isTrusted\u201d property.<\/p>\n<p class=\"wp-block-paragraph\">Meaning, another browser extension capable of injecting scripts into Claude.ai can generate synthetic clicks that Claude accepts as legitimate.<\/p>\n<p class=\"wp-block-paragraph\">In default configurations, the attack can automatically trigger one of Claude\u2019s predefined browser tasks before presenting an approval dialog. However, if users have enabled the extension\u2019s \u201cAct without asking\u201d mode, Claude may execute those actions silently, allowing an attacker to retrieve Gmail content, Google Docs data, or Calendar information, the researcher noted.<\/p>\n<p class=\"wp-block-paragraph\">Rather than exploiting a flaw in Chrome itself, the attack abuses the trust placed in <a href=\"https:\/\/www.csoonline.com\/article\/4154201\/claude-code-is-still-vulnerable-to-an-attack-anthropic-has-already-fixed-2.html\">Claude <\/a>as an authorized browser agent. Manifold demonstrated an exploit in six lines of JavaScript.<\/p>\n<p class=\"wp-block-paragraph\">The researchers said the flaw can simply be fixed with one added line, \u201cif (!n.isTrusted) return;\u201d at the top of the click handler.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>A problematic privilege mode<\/h2>\n<p class=\"wp-block-paragraph\">The second finding focuses on how Claude\u2019s side panel initializes its permission model.<\/p>\n<p class=\"wp-block-paragraph\">Manifold found that loading the panel with \u201c?skipPermissions=true\u201d parameter makes the extension enter a privileged mode meant to bypass repeated confirmation prompts. While the researchers did not identify a direct external path to control this parameter today, they argued that the design creates a latent security risk because privileged behavior depends on a URL value rather than user-controlled inputs.<\/p>\n<p class=\"wp-block-paragraph\">Any future vulnerability capable of influencing that parameter could inherit elevated privileges without requiring additional security checks, the researchers noted.<\/p>\n<p class=\"wp-block-paragraph\">To address both findings, Manifold recommends validating genuine user interactions before executing privileged actions, avoiding URL-driven privilege transitions, and strengthening the authentication of internal extension workflows.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Two vulnerabilities found in Anthropic\u2019s Claude for Chrome extension remain exploitable months after they were reported to the company, a research by Manifold Security noted. According to the researchers, the flaws can allow a malicious browser extension to trigger Claude into performing privileged actions, including reading Gmail messages, Google Docs content, and Calendar entries on [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8773,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8772","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8772"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8772"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8772\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8773"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8772"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8772"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8772"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}