HackMyIP
← Back to News
2026-07-14 The Hacker News

Claude for Chrome Flaw Lets Rogue Extensions Silently Read Gmail

VulnerabilityLLM SecurityAI Security

Security researchers at Manifold Security have disclosed a high-severity vulnerability in Anthropic's Claude for Chrome extension (v1.0.80) that allows any malicious browser extension with script access to claude.ai to trigger Claude into reading users' Gmail, Google Docs, and Calendar data. The flaw, rated CVSS 7.7 in default mode and 9.6 Critical when "Act without asking" automation is enabled, stems from the extension's failure to validate the `event.isTrusted` flag, meaning a synthetic click dispatched from a content script is indistinguishable from a genuine user action. Once onboarding completes, browser control is on by default, and a forged click on the `#claude-onboarding-button` element carrying an allowlisted task ID—such as `usecase-gmail`, `usecase-gdocs`, or `usecase-calendar`—opens the side panel with the sensitive task already loaded.

This issue follows the earlier ClaudeBleed vulnerability that Anthropic partially mitigated in May by boxing external callers into a fixed set of nine baked-in task IDs (three for onboarding practice, three for DoorDash/Salesforce/Zillow, and the three Google workspace tasks). While the allowlist stopped attackers from injecting arbitrary prompts into Claude's context, the trigger mechanism itself remains exploitable. Manifold demonstrated the full attack using just six lines of code pasted into the claude.ai console, with `isTrusted: false` logged in the browser confirming the synthetic click was honored. Users running the extension in default "ask before acting" mode still face an approval prompt, but those who have enabled "Act without asking" mode will see the Gmail-read task execute silently with no user interaction at all.

Anthropic has not released a patch as of the July 14 disclosure date, leaving the forged-click path open eight versions after the initial ClaudeBleed response. The only practical mitigations are to disable "Act without asking" mode, audit and revoke permissions for any extension that can read or modify data on claude.ai, and remain alert for suspicious side-panel activity. The incident underscores the unique risk surface that AI agent extensions introduce, where a single compromised or malicious add-on can chain into far more powerful actions than its own permissions would normally allow. Users concerned about their broader browser exposure can run a browser fingerprint test to audit what trackers and extensions can identify them, while anyone worried about credential exposure from compromised Google accounts should check their address against known incidents using the email breach checker and review their overall posture with a privacy checkup.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

My IP →IP Lookup →Privacy Checkup →

Related Guides

Learn the background behind this story:

What is my IP and why it matters →IP address security →How to stop being tracked online →