Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Security Flaw in Claude for Chrome Allows Unauthorized Access

Security Flaw in Claude for Chrome Allows Unauthorized Access

Posted on July 14, 2026 By CWS

Security researchers have discovered a vulnerability in the Claude for Chrome browser extension that allows rogue extensions to access Gmail, Google Docs, and Calendar without user consent. This flaw affects users who have enabled certain settings, potentially exposing sensitive information.

Extension Vulnerability Details

The core issue arises from the ability of other browser extensions to execute scripts on claude.ai, triggering tasks within Claude for Chrome. Despite measures taken by Anthropic to address the ClaudeBleed flaw, which restricted external prompts, the problem persists in the latest version, v1.0.80. This means that any extension capable of interacting with claude.ai can exploit this vulnerability.

In ‘ask before acting’ mode, users must approve tasks, but if ‘Act without asking’ is enabled, actions proceed without any prompts, heightening the risk of unauthorized access. Users are advised to disable ‘Act without asking’ and review permissions of extensions that can alter data on claude.ai to mitigate risks.

Mechanism of the Security Flaw

The vulnerability lies in how Claude for Chrome handles task triggers. A content script listens for clicks on specific elements and, if the task is one of the nine pre-approved ones, it sends a message to open a side panel with the task loaded. However, the script fails to verify if the click is genuine or script-generated, allowing synthetic clicks to be treated as legitimate.

Manifold Security demonstrated this exploit by crafting a code snippet that simulates a user click, which the extension erroneously accepts. This oversight can lead to unauthorized execution of tasks such as reading emails or accessing documents.

Implications and Recommendations

Anthropic has yet to release a patch to address this flaw, leaving users vulnerable to potential exploits. The company acknowledged the issue but has not indicated when a fix might be available. As of July 14, no CVE has been issued, and no formal advisory has been published by Anthropic.

For users concerned about the security of their data, disabling the ‘Act without asking’ feature and scrutinizing browser extensions with access to claude.ai is critical. Awareness and proactive management of permissions can help mitigate the risk until a permanent solution is implemented.

The ongoing vulnerability highlights the challenges in maintaining secure browser extensions, particularly when integrating with widely used services like Gmail and Google Docs. Users are encouraged to stay informed about updates and potential security advisories from credible sources.

The Hacker News Tags:Anthropic, browser extension, Chrome vulnerability, Claude for Chrome, ClaudeBleed, data protection, Gmail security, hacker news, Manifold Security, security flaw

Post navigation

Previous Post: Fortinet Addresses Vulnerabilities in Key Security Software
Next Post: Tego AI Exposes Potential Risks in Claude Tag Integration

Related Posts

OttoKit WordPress Plugin with 100K+ Installs Hit by Exploits Targeting Multiple Flaws OttoKit WordPress Plugin with 100K+ Installs Hit by Exploits Targeting Multiple Flaws The Hacker News
Learn How Leading Security Teams Blend AI + Human Workflows (Free Webinar) Learn How Leading Security Teams Blend AI + Human Workflows (Free Webinar) The Hacker News
Malicious Nx Packages in ‘s1ngularity’ Attack Leaked 2,349 GitHub, Cloud, and AI Credentials Malicious Nx Packages in ‘s1ngularity’ Attack Leaked 2,349 GitHub, Cloud, and AI Credentials The Hacker News
Russian APT28 Runs Credential-Stealing Campaign Targeting Energy and Policy Organizations Russian APT28 Runs Credential-Stealing Campaign Targeting Energy and Policy Organizations The Hacker News
Ex-Google Engineers Charged with Trade Secret Theft to Iran Ex-Google Engineers Charged with Trade Secret Theft to Iran The Hacker News
Grafana Suffers GitHub Token Breach, Faces Extortion Grafana Suffers GitHub Token Breach, Faces Extortion The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Hackers Use Fake OAuth IDs to Target Entra ID Users
  • Microsoft Addresses Record 622 Vulnerabilities, Including Two Critical Zero-Days
  • Tego AI Exposes Potential Risks in Claude Tag Integration
  • Security Flaw in Claude for Chrome Allows Unauthorized Access
  • Fortinet Addresses Vulnerabilities in Key Security Software

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Hackers Use Fake OAuth IDs to Target Entra ID Users
  • Microsoft Addresses Record 622 Vulnerabilities, Including Two Critical Zero-Days
  • Tego AI Exposes Potential Risks in Claude Tag Integration
  • Security Flaw in Claude for Chrome Allows Unauthorized Access
  • Fortinet Addresses Vulnerabilities in Key Security Software

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark