• 2 min read

Claude Chrome bug lets rogue extensions fire AI tasks

Researchers say Anthropic’s Claude for Chrome can be tricked into running built-in workflows via fake clicks from a malicious extension.

Image: BleepingComputer

A flaw in Anthropic’s Claude for Chrome extension could let a malicious browser extension trigger built-in AI workflows by faking user clicks, potentially abusing Claude’s access to Gmail, Google Docs, Google Calendar, and Salesforce.

The issue was found by Ax Sharma of Manifold Security, who said the extension failed to verify whether a click came from a real person. In Chrome, browser-generated events from actual user actions are marked with Event.isTrusted = true, while JavaScript-generated events are marked false. According to Manifold, Claude’s extension did not check that signal before running a predefined task.

That means an attacker who convinces a user to install a malicious extension with permission to run on claude.ai could inject a page element with one of Claude’s supported task identifiers and then trigger it with a synthetic click. Manifold said the attack is limited to nine predefined tasks, not arbitrary prompt injection.

The supported workflows include tasks to:

  • read recent Gmail, identify promotional emails, and click unsubscribe
  • open the user’s latest Google Doc and read comments and feedback
  • read Google Calendar, find free slots, and create meetings
  • modify Salesforce leads and convert them to opportunities

The researchers said the impact depends on how the extension is configured, including whether users approve sensitive actions manually or have “Act without asking” enabled, which allows predefined workflows to run automatically.

Recommended reading

New Windows 11 zero-day targets user registry hives

Manifold also reported a second issue involving an internal skipPermissions=true parameter that bypassed some permission checks when launching the extension. The researchers said it was not directly exploitable on its own and would need another bug to create a specially crafted URL.

Anthropic acknowledged both reports through its bug bounty program. According to the researchers, the company closed the synthetic-click report, saying it was already tracking the problem as part of a broader issue, while the skipPermissions=true finding was classified as informational.

Manifold said both issues remained reproducible in version 1.0.80, released on July 7.

“Manifold verified July 7 that both findings remain reproducible in 1.0.80. The content script and side-panel handlers we cited are byte-identical to the v1.0.72 source.”

— Manifold report
Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via BleepingComputer

// Keep reading