Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Critical Buffa Rust Library 0-Day DoS Vulnerability in Anthropic
July 1, 2026
Critical Citrix NetScaler ADC and Gateway Bugs Allow DoS, Memory Overflow
July 1, 2026
Home/Vulnerabilities/Critical Vulnerability in Claude Chrome Extension Exposes Gmail, Drive Data
Vulnerabilities

Critical Vulnerability in Claude Chrome Extension Exposes Gmail, Drive Data

Key Takeaways A critical vulnerability (CVE not yet assigned) in the “Claude in Chrome” extension allowed unauthorized access to sensitive user data. The flaw enabled attackers to hijack...

Jennifer sherman
Jennifer sherman
May 12, 2026 3 Min Read
53 0

Key Takeaways

  • A critical vulnerability (CVE not yet assigned) in the “Claude in Chrome” extension allowed unauthorized access to sensitive user data.
  • The flaw enabled attackers to hijack the AI assistant, potentially exposing Gmail messages, Google Drive documents, and GitHub repositories.
  • The vulnerability stems from a trust boundary violation in the extension’s communication with the claude.ai LLM.
  • Anthropic released a partial fix (version 1.0.70) on May 6, 2026, but researchers warn it is incomplete and can be bypassed.

A severe vulnerability has been discovered in the “Claude in Chrome” browser extension, exposing users’ confidential data across various Google services and GitHub. The flaw, detailed by security researchers at LayerX, transforms the seemingly innocuous, zero-permission AI assistant into a potent tool for data exfiltration.

Table Of Content

  • Key Takeaways
  • Claude Extension’s Trust Boundary Flaw
  • What You Should Do

This critical security oversight highlights the inherent risks when AI development prioritizes speed over robust security, potentially leaving user data vulnerable to exploitation through seemingly benign extensions.

Claude Extension’s Trust Boundary Flaw

The core of the vulnerability lies in a systemic trust boundary violation within the extension’s manifest file. The “Claude in Chrome” extension utilizes the externally_connectable setting to facilitate communication with the main claude.ai Large Language Model (LLM).

However, the extension’s security mechanism only verifies the origin of the request (claude.ai) and fails to adequately scrutinize the actual execution context. This oversight means that any JavaScript running on the claude.ai page—including malicious scripts injected by other extensions, even those with no declared permissions—can execute privileged commands through Claude.

By operating within the trusted origin, malicious scripts effectively bypass Chrome’s native security model, inheriting the full capabilities of the trusted AI assistant. This allows an attacker to manipulate Claude into performing actions it would otherwise be restricted from doing.

To demonstrate the exploit, researchers developed a minimal proof-of-concept extension that successfully circumvented Claude’s built-in safeguards using two distinct techniques:

  • Approval Looping: Claude typically requires user confirmation for sensitive operations. Researchers discovered they could programmatically forge user consent by repeatedly sending “Yes, proceed” to satisfy state-based confirmation prompts, effectively automating approval for restricted actions.
  • Perception Manipulation: Claude’s decision-making process is heavily influenced by visible text and the Document Object Model (DOM) structure. Attackers could dynamically alter UI semantics, for instance, by relabeling a “Share” button as “Request feedback.” This deception tricked the AI’s visual perception into executing restricted actions under the false belief that they were benign operations.

Once compromised, Claude acts as a “confused deputy,” performing unauthorized actions on behalf of the attacker. LayerX’s demonstration revealed that attackers could extract private GitHub source code, share restricted Google Drive documents with external parties, and summarize, forward, or delete a user’s recent Gmail messages. Importantly, these actions required no user interaction or complex exploit chains.

LayerX responsibly disclosed the vulnerability to Anthropic on April 27, 2026. In response, Anthropic released version 1.0.70 of the extension on May 6, 2026, which introduced explicit approval flows for standard browser actions.

However, researchers cautioned that this patch is incomplete. The fix primarily focuses on a UI-based permission layer rather than addressing the fundamental flaw in the underlying externally_connectable handler. If the extension operates in “privileged” mode (configured to “Act without asking”), the vulnerability remains fully exploitable. Furthermore, attackers can exploit the side-panel initialization flow to force a separate privileged-mode session, thereby bypassing the newly implemented security checks entirely.

To fully mitigate this trust model failure, LayerX recommends implementing stringent validation of external message senders, moving beyond reliance on UI-based symptoms. Suggested architectural changes include:

  • Implementing extension-to-page authentication tokens, such as cryptographically signed requests, to verify the sender’s identity unequivocally.
  • Restricting externally_connectable settings to specific, trusted extension IDs rather than broadly relying on origin URLs.
  • Binding user approvals strictly to individual actions using one-time tokens and non-replayable flows to prevent re-use of consent.

What You Should Do

  • Update your “Claude in Chrome” extension: Ensure you are running version 1.0.70 or newer, although be aware of its limitations.
  • Review extension permissions: Periodically audit all browser extensions and remove any that are not essential or have excessive permissions.
  • Avoid “privileged” mode: Refrain from configuring the Claude extension to “Act without asking” (privileged mode) if possible, as this bypasses the partial patch.
  • Exercise caution with AI assistants: Be mindful of the data you share with AI tools, especially through browser extensions, and understand their potential access to your sensitive information.
  • Stay informed: Monitor official announcements from Anthropic and cybersecurity news for further updates on this vulnerability and its complete remediation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitPatchSecurityVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical PHP SOAP Vulnerabilities Let Attackers Run Remote Code

Next Post

Malicious PyPI Package Impersonates Mistral AI, Injects Malware

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Microsoft Teams Blocks Uninvited Bots From Meetings
July 1, 2026
Anthropic Claude AI Reportedly Uses Hidden Code to Detect Chinese Users
July 1, 2026
US Eases Export Restrictions on Claude Fable 5 and Mythos 5 AI Models
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us