AI Security AI安全 1d ago Updated 1d ago 更新于 1天前 51

Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads 研究人员称 Claude for Chrome 漏洞允许恶意扩展程序触发 Gmail 读取

A security flaw in the Claude for Chrome extension allows rogue browser extensions to trigger sensitive tasks like reading Gmail, Docs, and Calendar via forged DOM events. The vulnerability stems from the extension failing to verify `event.isTrusted`, treating scripted clicks identically to genuine user interactions. While the default "ask before acting" mode requires user approval, enabling "Act without asking" allows these forged tasks to execute silently with critical severity. A secondary fl Anthropic的Claude for Chrome扩展存在严重安全漏洞,允许恶意扩展伪造用户点击以触发读取Gmail、Google Docs和日历的任务。 漏洞根源在于内容脚本未验证`event.isTrusted`标志,导致脚本生成的合成点击被误认为是真实用户操作。 若用户开启“无需询问即可执行”模式,攻击者可完全绕过权限审批,CVSS评分高达9.6(严重);默认模式下评分为7.7(高)。 该漏洞在5月报告后,经8个版本更新仍未修复,且存在通过URL参数`?skipPermissions=true`静默提升权限的潜在风险。

75
Hot 热度
70
Quality 质量
72
Impact 影响力

Analysis 深度分析

TL;DR

  • A security flaw in the Claude for Chrome extension allows rogue browser extensions to trigger sensitive tasks like reading Gmail, Docs, and Calendar via forged DOM events.
  • The vulnerability stems from the extension failing to verify event.isTrusted, treating scripted clicks identically to genuine user interactions.
  • While the default "ask before acting" mode requires user approval, enabling "Act without asking" allows these forged tasks to execute silently with critical severity.
  • A secondary flaw allows bypassing permission checks entirely if the side panel URL contains a specific query parameter, though this is currently limited to internal extension contexts.
  • Despite being reported in May, the issues remain unpatched in version 1.0.80, with Anthropic having closed the reports internally without releasing fixes.

Why It Matters

This incident highlights significant risks in browser-based AI integrations, specifically how trust boundaries between extensions and web pages can be exploited to access sensitive user data. It demonstrates that even when arbitrary prompt injection is mitigated, implementation flaws in event handling and permission management can create severe privacy vulnerabilities. For practitioners, it underscores the necessity of rigorous input validation and strict separation of privileged actions from untrusted scripts in any software interacting with user accounts.

Technical Details

  • Forged Click Vulnerability: The extension's content script listens for clicks on #claude-onboarding-button and processes the data-task-id. It fails to check event.isTrusted, allowing malicious scripts to dispatch synthetic clicks that mimic real user interactions.
  • Allowlist Bypass: Although Anthropic restricted inputs to nine fixed task IDs (including usecase-gmail, usecase-gdocs, usecase-calendar) to prevent arbitrary prompting, the forged click mechanism allows attackers to trigger these specific high-privilege tasks.
  • Permission Bypass Flaw: Loading the side panel with ?skipPermissions=true in the URL triggers skip_all_permission_checks, disabling the approval workflow. This creates a path for silent execution if combined with other vulnerabilities.
  • Severity Ratings: Manifold Security rated the flaw as CVSS 7.7 (High) in default mode due to the required user click, and CVSS 9.6 (Critical) when "Act without asking" is enabled, as it allows fully automated data exfiltration.
  • Persistence: The vulnerable code in the click handler and side panel initialization remained unchanged across eight releases (v1.0.72 to v1.0.80) despite being reported in May.

Industry Insight

  • Extension Security Audits: Developers must implement strict validation for all user-interaction events, particularly checking event.isTrusted to distinguish between genuine user actions and programmatic scripts.
  • Principle of Least Privilege: AI-integrated tools should default to requiring explicit user consent for sensitive operations. Features like "Act without asking" should be treated as high-risk and potentially disabled by default or heavily restricted.
  • Vulnerability Lifecycle Management: The delay in patching critical security issues reported by third-party researchers indicates a need for more transparent and efficient vulnerability response workflows in AI product development.

TL;DR

  • Anthropic的Claude for Chrome扩展存在严重安全漏洞,允许恶意扩展伪造用户点击以触发读取Gmail、Google Docs和日历的任务。
  • 漏洞根源在于内容脚本未验证event.isTrusted标志,导致脚本生成的合成点击被误认为是真实用户操作。
  • 若用户开启“无需询问即可执行”模式,攻击者可完全绕过权限审批,CVSS评分高达9.6(严重);默认模式下评分为7.7(高)。
  • 该漏洞在5月报告后,经8个版本更新仍未修复,且存在通过URL参数?skipPermissions=true静默提升权限的潜在风险。

为什么值得看

本文揭示了AI浏览器扩展在集成第三方服务时面临的典型信任边界问题,特别是如何处理外部脚本交互和权限验证。对于AI应用开发者而言,这是一个关于如何防止间接提示注入和过度代理风险的深刻案例,强调了即使有白名单机制,底层事件处理逻辑的安全性同样至关重要。

技术解析

  • 伪造点击漏洞:扩展监听#claude-onboarding-button元素的点击事件,读取data-task-id并发送消息。关键缺陷是处理函数未检查event.isTrusted,使得恶意扩展可通过DOM操作构造合成点击事件,从而触发允许的9个任务ID(包括Gmail、Docs、Calendar等敏感数据访问)。
  • 权限绕过机制:侧边栏初始化代码支持URL参数?skipPermissions=true,一旦设置,将直接进入skip_all_permission_checks状态,无需用户确认即可执行操作。虽然目前该参数仅由扩展内部设置,但若未来出现XSS或其他漏洞允许外部注入此参数,将导致完全无感知的账户接管。
  • 修复滞后与现状:Manifold Security于5月21日报告漏洞,Anthropic虽承认但关闭了工单。截至7月14日发布的v1.0.80版本中,相关JavaScript代码字节级未变,证明漏洞依然存在。The Hacker News逆向工程确认了上述两个脆弱点仍在当前生产版本中。

行业启示

  • 强化输入验证与信任边界:在处理浏览器扩展或Web应用中的用户交互时,必须严格验证事件来源的真实性(如使用isTrusted),不能仅依赖前端UI元素的状态或白名单ID,需防范跨上下文脚本注入。
  • 最小权限原则与默认安全:AI助手类扩展应默认采用“询问后执行”模式,并避免提供可被轻易绕过的静默执行通道。权限控制逻辑不应依赖于易受篡改的URL参数或内部状态标记,而应在后端或更安全的沙箱环境中进行校验。
  • 重视安全响应的透明度与时效性:从漏洞报告到实际修复存在显著的时间滞后,且厂商对风险等级的评估可能存在偏差。企业和用户应定期审查AI工具的权限设置,及时关闭高风险自动化功能,并关注独立安全研究机构的最新发现。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Claude Claude Security 安全 Research 科学研究