Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads

The Hacker News by The Hacker News
July 14, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Any other browser extension that can run a script on claude.ai can still trigger Claude for Chrome tasks aimed at your Gmail, your latest Google Doc and its comments, and your Calendar.

Both this and ClaudeBleed need a rogue extension that can already run a script on claude.ai; the difference is scope. Anthropic restricted the arbitrary-prompt path in May as part of its response to the ClaudeBleed flaw, boxing external callers into a fixed set of tasks, but Manifold Security says the gap is still open in v1.0.80, the current release, eight versions later.

If you run Claude for Chrome and any other extension that can touch claude.ai, you are in scope. In the default “ask before acting” mode, the forged task still hits an approval box you have to click.

If you switched on “Act without asking,” the hands-off automation mode, it runs with no prompt at all. The quickest guard is to turn “Act without asking” off and review any extension with permission to read or change data on claude.ai. That restores the approval step but does not remove the forged-click path, and there is no patch as of July 14.

The Hacker News unpacked the current build and confirmed both mechanisms remain in v1.0.80.

The trigger accepts a forged click

After ClaudeBleed, Anthropic stopped letting the page hand Claude any text it wanted and boxed external callers into nine fixed task IDs baked into the extension bundle.

Three are onboarding practice prompts, three drive DoorDash, Salesforce, and Zillow, and the last three, usecase-gmail, usecase-gdocs, and usecase-calendar, are the ones that read your mail, your latest doc and its comments, and your calendar. The allowlist is a real improvement. The page can no longer put words in Claude’s mouth.

The weak point is what pulls the trigger. A content script in the extension listens on claude.ai for a click on a specific element (#claude-onboarding-button), reads its data-task-id, and if the ID is one of the nine allowlisted tasks, sends the extension an open_side_panel message carrying it. The panel opens with the matching prompt loaded. What the handler never checks is event.isTrusted, the browser flag that tells a real user click from one a script dispatched.

So any extension whose content script can reach the DOM on claude.ai can build the element, set the task ID, and dispatch a synthetic click. The extension treats it as a genuine tap. Manifold demonstrated the trigger with six lines pasted into the claude.ai console, with isTrusted: false in the logs confirming the fake click was honored.

With browser control on, the default once onboarding finishes, that forged click loads the usecase-gmail task into the panel. In default mode, an approval box still stands between that and any actual read, and the user has to click it. Manifold rates the flaw CVSS 7.7 High in that mode, and 9.6 Critical once a user has enabled “Act without asking,” where the same task runs silently.

The one-line fix, the researchers say, rejects synthetic clicks at the top of the handler. It has not shipped.

A quieter flaw sits underneath

The second issue is not remotely reachable today, but it is what removes the approval step if another flaw ever exposes it. When Claude’s side panel loads with ?skipPermissions=true in its URL, it boots straight into skip_all_permission_checks and starts acting without asking.

No gesture, no consent screen. A red banner warning that Claude can now take most actions online does appear, but only after the privileged session is already running. The banner tells you what happened. It does not stop it from happening.

For now, that URL can only be built by the extension itself, so there is no direct remote path. A future bug that lets a lower-privileged context set that parameter could turn the forged-click trick into a fully silent account read. That path could be exposed by a URL-accepting message handler, a panel-building regression, or an XSS flaw in the options page. Manifold’s fix is to stop reading permission mode from the URL and boot the panel in ask mode every time.

Manifold maps the working attack to the OWASP Top 10 for LLM apps as indirect prompt injection, since the attacker triggers one of the extension’s nine allowlisted prompts with a forged click, and the silent-execution risk to excessive agency. Both reproduce whether the side panel is set to Opus, Sonnet, or Fable. The bug is in the extension, not the model.

Reported in May, still in the shipping code

Manifold reported both issues on May 21 against v1.0.72. Anthropic acknowledged them the next day, then closed both. It shut the forged-click report on the grounds that the underlying trust-boundary problem was already tracked under the earlier ClaudeBleed report, which Anthropic said “remains open pending a complete fix.”

It closed the URL report as informative, arguing that the parameter is only ever set by the extension for tasks the user already told it to run unattended.

Yet the internal report meant to cover that fix was marked resolved before June 9, and eight releases later, the vulnerable code has not moved: Manifold checked v1.0.80 on July 7 and found the content-script click handler and the side-panel initialization byte-for-byte identical to the v1.0.72 it first reported.

Anthropic had not published a public response to Manifold’s findings as of July 14, and whether “resolved” means a fix is still coming or a call that the leftover risk does not warrant one is not something anyone outside the company can tell.

The scan bore that out. The Hacker News pulled version 1.0.80 from the Chrome Web Store, updated July 7, and available to all paid subscribers, unpacked it, and went through all 90 of its JavaScript bundles: the onboarding click handler fires on any matching click with no event.isTrusted guard, and the side panel reads skipPermissions from its own URL and switches into skip_all_permission_checks when it is set.

As of that date, we found no CVE for either issue and no advisory from Anthropic.

None of this is new for the extension. A separate flaw patched earlier this year let any website silently inject prompts into it, and ClaudeBleed began the same way in late April, when LayerX found that Claude for Chrome trusted the claude.ai origin instead of checking which script was actually talking to it, drove the assistant from a zero-permission extension, and found Anthropic’s first mitigation incomplete.

LayerX called ClaudeBleed a confused-deputy problem, a program with real authority acting for the wrong caller. Claude Code has shown a version of the same failure: a hostile repository could exfiltrate a developer’s Anthropic API keys. Anthropic calls the extension a beta, and it is open to every paid Claude subscriber.

Put an AI agent in your browser with your accounts already signed in, and another extension that can reach it can drive the capabilities Claude exposes, within the fixed task set and whatever approval mode you have set.

Both findings weaken the same boundary: Claude accepts a script-generated click as your intent, and its permission state can be set from a URL. Eight releases on, that boundary is still where Manifold left it in May.



Source link

The Hacker News

The Hacker News

Next Post
Cribl Acquires CardinalOps In Move To Expand Into Security Operations

Cribl Acquires CardinalOps In Move To Expand Into Security Operations

Recommended.

Huawei lance sa plateforme de données d’IA pour accélérer l’adoption de l’IA par les entreprises

Huawei lance sa plateforme de données d’IA pour accélérer l’adoption de l’IA par les entreprises

March 6, 2026
Generative AI fueled B boost in enterprise cloud spend last year

Generative AI fueled $60B boost in enterprise cloud spend last year

February 10, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio