Critical Vulnerability in Claude Chrome Extension Exposes Gmail, Drive Data
Key Takeaways A critical vulnerability (CVE not yet assigned) in the “Claude in Chrome” extension allowed unauthorized access to sensitive user data. The flaw enabled attackers to hijack...
Key Takeaways
- A critical vulnerability (CVE not yet assigned) in the “Claude in Chrome” extension allowed unauthorized access to sensitive user data.
- The flaw enabled attackers to hijack the AI assistant, potentially exposing Gmail messages, Google Drive documents, and GitHub repositories.
- The vulnerability stems from a trust boundary violation in the extension’s communication with the claude.ai LLM.
- Anthropic released a partial fix (version 1.0.70) on May 6, 2026, but researchers warn it is incomplete and can be bypassed.
A severe vulnerability has been discovered in the “Claude in Chrome” browser extension, exposing users’ confidential data across various Google services and GitHub. The flaw, detailed by security researchers at LayerX, transforms the seemingly innocuous, zero-permission AI assistant into a potent tool for data exfiltration.
Table Of Content
This critical security oversight highlights the inherent risks when AI development prioritizes speed over robust security, potentially leaving user data vulnerable to exploitation through seemingly benign extensions.
Claude Extension’s Trust Boundary Flaw
The core of the vulnerability lies in a systemic trust boundary violation within the extension’s manifest file. The “Claude in Chrome” extension utilizes the externally_connectable setting to facilitate communication with the main claude.ai Large Language Model (LLM).
However, the extension’s security mechanism only verifies the origin of the request (claude.ai) and fails to adequately scrutinize the actual execution context. This oversight means that any JavaScript running on the claude.ai page—including malicious scripts injected by other extensions, even those with no declared permissions—can execute privileged commands through Claude.
By operating within the trusted origin, malicious scripts effectively bypass Chrome’s native security model, inheriting the full capabilities of the trusted AI assistant. This allows an attacker to manipulate Claude into performing actions it would otherwise be restricted from doing.
To demonstrate the exploit, researchers developed a minimal proof-of-concept extension that successfully circumvented Claude’s built-in safeguards using two distinct techniques:
- Approval Looping: Claude typically requires user confirmation for sensitive operations. Researchers discovered they could programmatically forge user consent by repeatedly sending “Yes, proceed” to satisfy state-based confirmation prompts, effectively automating approval for restricted actions.
- Perception Manipulation: Claude’s decision-making process is heavily influenced by visible text and the Document Object Model (DOM) structure. Attackers could dynamically alter UI semantics, for instance, by relabeling a “Share” button as “Request feedback.” This deception tricked the AI’s visual perception into executing restricted actions under the false belief that they were benign operations.
Once compromised, Claude acts as a “confused deputy,” performing unauthorized actions on behalf of the attacker. LayerX’s demonstration revealed that attackers could extract private GitHub source code, share restricted Google Drive documents with external parties, and summarize, forward, or delete a user’s recent Gmail messages. Importantly, these actions required no user interaction or complex exploit chains.
LayerX responsibly disclosed the vulnerability to Anthropic on April 27, 2026. In response, Anthropic released version 1.0.70 of the extension on May 6, 2026, which introduced explicit approval flows for standard browser actions.
However, researchers cautioned that this patch is incomplete. The fix primarily focuses on a UI-based permission layer rather than addressing the fundamental flaw in the underlying externally_connectable handler. If the extension operates in “privileged” mode (configured to “Act without asking”), the vulnerability remains fully exploitable. Furthermore, attackers can exploit the side-panel initialization flow to force a separate privileged-mode session, thereby bypassing the newly implemented security checks entirely.
To fully mitigate this trust model failure, LayerX recommends implementing stringent validation of external message senders, moving beyond reliance on UI-based symptoms. Suggested architectural changes include:
- Implementing extension-to-page authentication tokens, such as cryptographically signed requests, to verify the sender’s identity unequivocally.
- Restricting
externally_connectablesettings to specific, trusted extension IDs rather than broadly relying on origin URLs. - Binding user approvals strictly to individual actions using one-time tokens and non-replayable flows to prevent re-use of consent.
What You Should Do
- Update your “Claude in Chrome” extension: Ensure you are running version 1.0.70 or newer, although be aware of its limitations.
- Review extension permissions: Periodically audit all browser extensions and remove any that are not essential or have excessive permissions.
- Avoid “privileged” mode: Refrain from configuring the Claude extension to “Act without asking” (privileged mode) if possible, as this bypasses the partial patch.
- Exercise caution with AI assistants: Be mindful of the data you share with AI tools, especially through browser extensions, and understand their potential access to your sensitive information.
- Stay informed: Monitor official announcements from Anthropic and cybersecurity news for further updates on this vulnerability and its complete remediation.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.