Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads
A security flaw in the Claude for Chrome extension allows rogue browser extensions to trigger sensitive tasks like reading Gmail, Docs, and Calendar via forged DOM events. The vulnerability stems from the extension failing to verify `event.isTrusted`, treating scripted clicks identically to genuine user interactions. While the default "ask before acting" mode requires user approval, enabling "Act without asking" allows these forged tasks to execute silently with critical severity. A secondary fl
Analysis
TL;DR
- A security flaw in the Claude for Chrome extension allows rogue browser extensions to trigger sensitive tasks like reading Gmail, Docs, and Calendar via forged DOM events.
- The vulnerability stems from the extension failing to verify
event.isTrusted, treating scripted clicks identically to genuine user interactions. - While the default "ask before acting" mode requires user approval, enabling "Act without asking" allows these forged tasks to execute silently with critical severity.
- A secondary flaw allows bypassing permission checks entirely if the side panel URL contains a specific query parameter, though this is currently limited to internal extension contexts.
- Despite being reported in May, the issues remain unpatched in version 1.0.80, with Anthropic having closed the reports internally without releasing fixes.
Why It Matters
This incident highlights significant risks in browser-based AI integrations, specifically how trust boundaries between extensions and web pages can be exploited to access sensitive user data. It demonstrates that even when arbitrary prompt injection is mitigated, implementation flaws in event handling and permission management can create severe privacy vulnerabilities. For practitioners, it underscores the necessity of rigorous input validation and strict separation of privileged actions from untrusted scripts in any software interacting with user accounts.
Technical Details
- Forged Click Vulnerability: The extension's content script listens for clicks on
#claude-onboarding-buttonand processes thedata-task-id. It fails to checkevent.isTrusted, allowing malicious scripts to dispatch synthetic clicks that mimic real user interactions. - Allowlist Bypass: Although Anthropic restricted inputs to nine fixed task IDs (including
usecase-gmail,usecase-gdocs,usecase-calendar) to prevent arbitrary prompting, the forged click mechanism allows attackers to trigger these specific high-privilege tasks. - Permission Bypass Flaw: Loading the side panel with
?skipPermissions=truein the URL triggersskip_all_permission_checks, disabling the approval workflow. This creates a path for silent execution if combined with other vulnerabilities. - Severity Ratings: Manifold Security rated the flaw as CVSS 7.7 (High) in default mode due to the required user click, and CVSS 9.6 (Critical) when "Act without asking" is enabled, as it allows fully automated data exfiltration.
- Persistence: The vulnerable code in the click handler and side panel initialization remained unchanged across eight releases (v1.0.72 to v1.0.80) despite being reported in May.
Industry Insight
- Extension Security Audits: Developers must implement strict validation for all user-interaction events, particularly checking
event.isTrustedto distinguish between genuine user actions and programmatic scripts. - Principle of Least Privilege: AI-integrated tools should default to requiring explicit user consent for sensitive operations. Features like "Act without asking" should be treated as high-risk and potentially disabled by default or heavily restricted.
- Vulnerability Lifecycle Management: The delay in patching critical security issues reported by third-party researchers indicates a need for more transparent and efficient vulnerability response workflows in AI product development.
Disclaimer: The above content is generated by AI and is for reference only.