AI Security AI安全 7h ago Updated 2h ago 更新于 2小时前 49

Unpatched Claude for Chrome Flaw Lets Extensions Read Gmail, Calendar Claude for Chrome 未修复漏洞允许扩展程序读取 Gmail 和日历

Two critical vulnerabilities in Anthropic's Claude for Chrome extension remain unpatched despite being reported to the company in May. The flaws allow malicious extensions to impersonate user clicks, triggering Claude to perform actions like reading emails or docs without genuine consent. A secondary design gap allows the extension's side panel to bypass confirmation prompts via URL parameters, creating a potential silent control vector. These issues persist across eight subsequent releases, inc 安全公司Manifold指出Anthropic的Claude浏览器扩展存在两个未修复漏洞,攻击者可绕过用户确认执行敏感操作。 漏洞核心在于扩展未能验证“点击”动作是否由真实用户发起,允许恶意扩展伪造交互以触发Claude执行任务。 在启用“自动执行”模式时,攻击可静默读取Gmail、Google Docs等数据;另一设计缺陷可能导致未来URL构造bug引发更严重风险。 Anthropic自5月报告以来发布的8个版本(包括最新1.0.80)均未修补这些漏洞,仅将其视为针对早期ClaudeBleed漏洞的临时缓解措施。

75
Hot 热度
65
Quality 质量
70
Impact 影响力

Analysis 深度分析

TL;DR

  • Two critical vulnerabilities in Anthropic's Claude for Chrome extension remain unpatched despite being reported to the company in May.
  • The flaws allow malicious extensions to impersonate user clicks, triggering Claude to perform actions like reading emails or docs without genuine consent.
  • A secondary design gap allows the extension's side panel to bypass confirmation prompts via URL parameters, creating a potential silent control vector.
  • These issues persist across eight subsequent releases, including version 1.0.80, highlighting a significant delay in addressing agentic AI security risks.

Why It Matters

This case underscores the severe security implications of integrating large language models into browser extensions, particularly when they operate with high levels of autonomy. It demonstrates that current mitigation strategies, such as whitelisting specific tasks, are insufficient if the underlying interaction verification mechanisms are flawed. For developers and users alike, it highlights the urgent need for robust input validation and explicit user consent protocols in agentic AI applications.

Technical Details

  • Click Impersonation Vulnerability: The primary flaw lies in the extension’s mechanism for activating pre-approved tasks, which fails to verify that a click originated from a human user. This allows other browser extensions to simulate these interactions programmatically.
  • Autonomous Mode Exploitation: While default settings require confirmation for sensitive actions, enabling "Act without asking" allows attackers to execute commands silently without any visible warning or user intervention.
  • URL Parameter Bypass: A secondary structural risk exists where the Claude side panel can be launched directly into no-confirmation mode by manipulating specific URL parameters, bypassing standard safety checks.
  • Persistence of Flaws: Despite reporting these issues on May 21, Anthropic has not patched them in eight subsequent updates, leaving users exposed in the latest stable version (1.0.80).

Industry Insight

  • Prioritize Interaction Verification: Developers building agentic AI tools must implement strict cryptographic or behavioral verification for user intents to prevent clickjacking or simulation attacks by third-party scripts.
  • Default to Least Privilege: Autonomous modes should be disabled by default and require explicit, multi-step user confirmation, especially for actions involving sensitive personal data like email or documents.
  • Continuous Security Auditing: Given the rapid release cycle of AI features, companies must integrate automated security testing for extension APIs and URL parsing logic to detect and remediate vulnerabilities before they become widespread exploits.

TL;DR

  • 安全公司Manifold指出Anthropic的Claude浏览器扩展存在两个未修复漏洞,攻击者可绕过用户确认执行敏感操作。
  • 漏洞核心在于扩展未能验证“点击”动作是否由真实用户发起,允许恶意扩展伪造交互以触发Claude执行任务。
  • 在启用“自动执行”模式时,攻击可静默读取Gmail、Google Docs等数据;另一设计缺陷可能导致未来URL构造bug引发更严重风险。
  • Anthropic自5月报告以来发布的8个版本(包括最新1.0.80)均未修补这些漏洞,仅将其视为针对早期ClaudeBleed漏洞的临时缓解措施。

为什么值得看

本文揭示了Agentic AI(代理式人工智能)在浏览器扩展场景下的具体安全风险,特别是身份验证与权限控制的失效问题。对于AI从业者和安全研究人员而言,这强调了在赋予AI自主权时必须建立严格的“人类在环”验证机制,否则极易被恶意脚本利用进行无感攻击。

技术解析

  • 伪造交互漏洞:Claude扩展旨在限制外部网页只能调用预批准的任务列表,但其激活机制缺乏对用户真实点击行为的验证。恶意扩展可通过代码模拟点击事件,欺骗Claude认为这是用户授权的操作。
  • 自动化模式风险:当用户开启“Act without asking”(无需询问即执行)模式时,上述伪造点击可直接导致敏感数据泄露(如邮件、文档),且无任何视觉警告。
  • URL参数设计缺陷:Claude侧边栏可通过URL参数直接进入无确认模式。虽然目前仅扩展自身能构造该URL,但这构成了结构性风险,若未来出现脚本注入漏洞,攻击者可能获得对连接账户的无声控制权。
  • 修复滞后:Anthropic将预批准任务列表视为ClaudeBleed漏洞的初步缓解方案,但在Manifold于5月21日报告新漏洞后,后续8个版本均未解决此问题。

行业启示

  • Agentic AI的安全范式需重构:随着AI代理获得更高自主权,传统的UI交互验证(如点击确认)已不足以保障安全,必须引入更底层的意图验证和防伪造机制。
  • 第三方扩展生态的风险管控:AI厂商在开放API或扩展接口时,需严格隔离不同来源的指令流,防止恶意插件通过模拟合法行为越权操作,避免“信任链”被滥用。
  • 漏洞响应的透明度与时效性:尽管Anthropic声称正在开发完整修复方案,但长期未修补已知高危漏洞可能损害用户信任,行业需平衡快速迭代与安全补丁的发布节奏。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Claude Claude Security 安全 Agent Agent