Claude for Chrome Vulnerability Lets Attackers Read Gmail, Docs, and Calendar Data

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Anthropic’s Claude for Chrome browser extension has two unpatched flaws that allow attackers to read a victim’s Gmail, Google Docs, and Calendar data using just six lines of JavaScript, even after eight subsequent releases.

Manifold researchers first reported the issues in May 2026, yet both remain reproducible in the latest v1.0.80, released July 7, 2026.

Claude for Chrome Vulnerability

The first flaw lives in Claude’s content script, which listens for clicks on a specific onboarding button and forwards a matching prompt to Claude’s side panel.

The problem: the handler never checks whether a click is genuinely user-initiated (event.isTrusted). Any other browser extension with script access on claude.ai, a common permission, can fake a click using six lines of JavaScript, triggering Claude to execute one of nine hardcoded prompts without the user’s knowledge.

These prompts aren’t harmless demos. Three of them instruct Claude to:

  • Read Gmail and interact with emails (e.g., clicking unsubscribe links)
  • Open the user’s latest Google Doc and read all comments
  • Scan Google Calendar and create meetings

In Claude’s default “Ask before acting” mode, a user still sees an approval popup. But if “Act without asking” is enabled, Claude executes these actions completely silently, rated CVSS 9.6 Critical.

Full attack chain (Source: Manifold)

The second issue is structural. Claude’s side panel enters a privileged, no-consent mode whenever it loads a URL containing ?skipPermissions=true with zero user gesture required. A warning banner does appear, but only after privileged mode is already active, making it a notice rather than a safeguard.

This isn’t directly exploitable today, since only the extension itself can currently construct that URL. But researchers warn it’s a ticking time bomb: any future bug a new message handler, an XSS flaw, a regression that lets outside code build this URL would instantly grant silent, full-account access.

Both issues map to recognized AI security risks under the OWASP Top 10 for LLM Applications: prompt injection (LLM01) and excessive agency (LLM06).

The proposed fixes are simple checking isTrusted on-click events, and removing URL-based privilege escalation — yet neither has shipped despite Anthropic marking the underlying tracking issue “Resolved” before June 9.

Anthropic acknowledged both reports within a day but closed them, arguing the synthetic-click issue was covered by an existing internal report and that the URL parameter posed no externally reachable risk.

Manifold researcher Ax Sharma reverified on July 7 that the flagged code remains byte-identical to the originally reported version.

The pattern mirrors an earlier incident, ClaudeBleed, where an announced fix later proved incomplete, raising fresh questions about how AI browser extensions handle trust boundaries between third-party scripts and privileged agentic actions.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.